FD.io VPP  v21.06
Vector Packet Processing
acl.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2016 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include <stddef.h>
17 
18 #include <vnet/vnet.h>
19 #include <vnet/plugin/plugin.h>
20 #include <acl/acl.h>
21 
22 #include <vnet/l2/l2_classify.h>
23 #include <vnet/l2/l2_in_out_feat_arc.h>
24 #include <vnet/classify/in_out_acl.h>
25 #include <vpp/app/version.h>
26 
27 #include <vnet/ethernet/ethernet_types_api.h>
28 #include <vnet/ip/format.h>
29 #include <vnet/ethernet/ethernet.h>
30 #include <vnet/ip/ip_types_api.h>
31 
32 #include <vlibapi/api.h>
33 #include <vlibmemory/api.h>
34 
35 /* define message IDs */
36 #include <acl/acl.api_enum.h>
37 #include <acl/acl.api_types.h>
38 
39 #define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
40 
41 #include "fa_node.h"
42 #include "public_inlines.h"
43 
44 acl_main_t acl_main;
45 
46 #define REPLY_MSG_ID_BASE am->msg_id_base
47 #include <vlibapi/api_helper_macros.h>
48 
49 /*
50  * The code for the bihash, used by the session management.
51  */
52 #include <vppinfra/bihash_40_8.h>
53 #include <vppinfra/bihash_template.h>
54 #include <vppinfra/bihash_template.c>
55 
56 /* *INDENT-OFF* */
57 VLIB_PLUGIN_REGISTER () = {
58  .version = VPP_BUILD_VER,
59  .description = "Access Control Lists (ACL)",
60 };
61 /* *INDENT-ON* */
62 
63 /* methods exported from ACL-as-a-service */
64 static acl_plugin_methods_t acl_plugin;
65 
66 /* Format vec16. */
67 u8 *
68 format_vec16 (u8 * s, va_list * va)
69 {
70  u16 *v = va_arg (*va, u16 *);
71  char *fmt = va_arg (*va, char *);
72  uword i;
73  for (i = 0; i < vec_len (v); i++)
74  {
75  if (i > 0)
76  s = format (s, ", ");
77  s = format (s, fmt, v[i]);
78  }
79  return s;
80 }
81 
82 static void
83 vl_api_acl_plugin_get_version_t_handler (vl_api_acl_plugin_get_version_t * mp)
84 {
85  acl_main_t *am = &acl_main;
86  vl_api_acl_plugin_get_version_reply_t *rmp;
87  int msg_size = sizeof (*rmp);
88  vl_api_registration_t *reg;
89 
90  reg = vl_api_client_index_to_registration (mp->client_index);
91  if (!reg)
92  return;
93 
94  rmp = vl_msg_api_alloc (msg_size);
95  clib_memset (rmp, 0, msg_size);
96  rmp->_vl_msg_id =
97  ntohs (VL_API_ACL_PLUGIN_GET_VERSION_REPLY + am->msg_id_base);
98  rmp->context = mp->context;
99  rmp->major = htonl (ACL_PLUGIN_VERSION_MAJOR);
100  rmp->minor = htonl (ACL_PLUGIN_VERSION_MINOR);
101 
102  vl_api_send_msg (reg, (u8 *) rmp);
103 }
104 
105 static void
106 vl_api_acl_plugin_control_ping_t_handler (vl_api_acl_plugin_control_ping_t *
107  mp)
108 {
109  vl_api_acl_plugin_control_ping_reply_t *rmp;
110  acl_main_t *am = &acl_main;
111  int rv = 0;
112 
113  /* *INDENT-OFF* */
114  REPLY_MACRO2 (VL_API_ACL_PLUGIN_CONTROL_PING_REPLY,
115  ({
116  rmp->vpe_pid = ntohl (getpid ());
117  }));
118  /* *INDENT-ON* */
119 }
120 
121 static void
122 print_clib_warning_and_reset (vlib_main_t * vm, u8 * out0)
123 {
124  clib_warning ("%v", out0);
125  vec_reset_length (out0);
126 }
127 
128 static void
129 print_cli_and_reset (vlib_main_t * vm, u8 * out0)
130 {
131  vlib_cli_output (vm, "%v", out0);
132  vec_reset_length (out0);
133 }
134 
135 typedef void (*acl_vector_print_func_t) (vlib_main_t * vm, u8 * out0);
136 
137 static inline u8 *
138 format_acl_action (u8 * s, u8 action)
139 {
140  switch (action)
141  {
142  case 0:
143  s = format (s, "deny");
144  break;
145  case 1:
146  s = format (s, "permit");
147  break;
148  case 2:
149  s = format (s, "permit+reflect");
150  break;
151  default:
152  s = format (s, "action %d", action);
153  }
154  return (s);
155 }
156 
157 static void
158 acl_print_acl_x (acl_vector_print_func_t vpr, vlib_main_t * vm,
159  acl_main_t * am, int acl_index)
160 {
161  acl_rule_t *r;
162  acl_rule_t *acl_rules = am->acls[acl_index].rules;
163  u8 *out0 = format (0, "acl-index %u count %u tag {%s}\n", acl_index,
164  vec_len (acl_rules), am->acls[acl_index].tag);
165  int j;
166  vpr (vm, out0);
167  for (j = 0; j < vec_len (acl_rules); j++)
168  {
169  r = &acl_rules[j];
170  out0 = format (out0, " %9d: %s ", j, r->is_ipv6 ? "ipv6" : "ipv4");
171  out0 = format_acl_action (out0, r->is_permit);
172  out0 = format (out0, " src %U/%d", format_ip46_address, &r->src,
173  r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
174  r->src_prefixlen);
175  out0 =
176  format (out0, " dst %U/%d", format_ip46_address, &r->dst,
177  r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4, r->dst_prefixlen);
178  out0 = format (out0, " proto %d", r->proto);
179  out0 = format (out0, " sport %d", r->src_port_or_type_first);
180  if (r->src_port_or_type_first != r->src_port_or_type_last)
181  {
182  out0 = format (out0, "-%d", r->src_port_or_type_last);
183  }
184  out0 = format (out0, " dport %d", r->dst_port_or_code_first);
185  if (r->dst_port_or_code_first != r->dst_port_or_code_last)
186  {
187  out0 = format (out0, "-%d", r->dst_port_or_code_last);
188  }
189  if (r->tcp_flags_mask || r->tcp_flags_value)
190  {
191  out0 =
192  format (out0, " tcpflags %d mask %d", r->tcp_flags_value,
193  r->tcp_flags_mask);
194  }
195  out0 = format (out0, "\n");
196  vpr (vm, out0);
197  }
198 }
199 
200 static void
201  vl_api_acl_plugin_get_conn_table_max_entries_t_handler
202  (vl_api_acl_plugin_get_conn_table_max_entries_t * mp)
203 {
204  acl_main_t *am = &acl_main;
205  vl_api_acl_plugin_get_conn_table_max_entries_reply_t *rmp;
206  int msg_size = sizeof (*rmp);
207  vl_api_registration_t *rp;
208 
209  rp = vl_api_client_index_to_registration (mp->client_index);
210  if (rp == 0)
211  return;
212 
213  rmp = vl_msg_api_alloc (msg_size);
214  memset (rmp, 0, msg_size);
215  rmp->_vl_msg_id =
216  ntohs (VL_API_ACL_PLUGIN_GET_CONN_TABLE_MAX_ENTRIES_REPLY +
217  am->msg_id_base);
218  rmp->context = mp->context;
219  rmp->conn_table_max_entries =
220  clib_net_to_host_u64 (am->fa_conn_table_max_entries);
221 
222  vl_api_send_msg (rp, (u8 *) rmp);
223 }
224 
225 static void
226 acl_print_acl (vlib_main_t * vm, acl_main_t * am, int acl_index)
227 {
228  acl_print_acl_x (print_cli_and_reset, vm, am, acl_index);
229 }
230 
231 static void
232 warning_acl_print_acl (vlib_main_t * vm, acl_main_t * am, int acl_index)
233 {
234  acl_print_acl_x (print_clib_warning_and_reset, vm, am, acl_index);
235 }
236 
237 static void
238 increment_policy_epoch (acl_main_t * am, u32 sw_if_index, int is_input)
239 {
240 
241  u32 **ppolicy_epoch_by_swi =
242  is_input ? &am->input_policy_epoch_by_sw_if_index :
243  &am->output_policy_epoch_by_sw_if_index;
244  vec_validate (*ppolicy_epoch_by_swi, sw_if_index);
245 
246  u32 *p_epoch = vec_elt_at_index ((*ppolicy_epoch_by_swi), sw_if_index);
247  *p_epoch =
248  ((1 + *p_epoch) & FA_POLICY_EPOCH_MASK) +
249  (is_input * FA_POLICY_EPOCH_IS_INPUT);
250 }
251 
252 static void
253 try_increment_acl_policy_epoch (acl_main_t * am, u32 acl_num, int is_input)
254 {
255  u32 ***p_swi_vec_by_acl = is_input ? &am->input_sw_if_index_vec_by_acl
256  : &am->output_sw_if_index_vec_by_acl;
257  if (acl_num < vec_len (*p_swi_vec_by_acl))
258  {
259  u32 *p_swi;
260  vec_foreach (p_swi, (*p_swi_vec_by_acl)[acl_num])
261  {
262  increment_policy_epoch (am, *p_swi, is_input);
263  }
264 
265  }
266 }
267 
268 static void
269 policy_notify_acl_change (acl_main_t * am, u32 acl_num)
270 {
271  try_increment_acl_policy_epoch (am, acl_num, 0);
272  try_increment_acl_policy_epoch (am, acl_num, 1);
273 }
274 
275 
276 static void
277 validate_and_reset_acl_counters (acl_main_t * am, u32 acl_index)
278 {
279  int i;
280  /* counters are set as vectors [acl#] pointing to vectors of [acl rule] */
281  acl_plugin_counter_lock (am);
282 
283  int old_len = vec_len (am->combined_acl_counters);
284 
285  vec_validate (am->combined_acl_counters, acl_index);
286 
287  for (i = old_len; i < vec_len (am->combined_acl_counters); i++)
288  {
289  am->combined_acl_counters[i].name = 0;
290  /* filled in once only */
291  am->combined_acl_counters[i].stat_segment_name = (void *)
292  format (0, "/acl/%d/matches%c", i, 0);
293  i32 rule_count = vec_len (am->acls[i].rules);
294  /* Validate one extra so we always have at least one counter for an ACL */
295  vlib_validate_combined_counter (&am->combined_acl_counters[i],
296  rule_count);
297  vlib_clear_combined_counters (&am->combined_acl_counters[i]);
298  }
299 
300  /* (re)validate for the actual ACL that is getting added/updated */
301  i32 rule_count = vec_len (am->acls[acl_index].rules);
302  /* Validate one extra so we always have at least one counter for an ACL */
303  vlib_validate_combined_counter (&am->combined_acl_counters[acl_index],
304  rule_count);
305  vlib_clear_combined_counters (&am->combined_acl_counters[acl_index]);
306  acl_plugin_counter_unlock (am);
307 }
308 
309 static int
310 acl_api_invalid_prefix (const vl_api_prefix_t * prefix)
311 {
312  ip_prefix_t ip_prefix;
313  return ip_prefix_decode2 (prefix, &ip_prefix);
314 }
315 
316 static int
317 acl_add_list (u32 count, vl_api_acl_rule_t rules[],
318  u32 * acl_list_index, u8 * tag)
319 {
320  acl_main_t *am = &acl_main;
321  acl_list_t *a;
322  acl_rule_t *r;
323  acl_rule_t *acl_new_rules = 0;
324  size_t tag_len;
325  int i;
326 
327  tag_len = clib_strnlen ((const char *) tag, sizeof (a->tag));
328  if (tag_len == sizeof (a->tag))
329  return VNET_API_ERROR_INVALID_VALUE;
330 
331  if (am->trace_acl > 255)
332  clib_warning ("API dbg: acl_add_list index %d tag %s", *acl_list_index,
333  tag);
334 
335  /* check if what they request is consistent */
336  for (i = 0; i < count; i++)
337  {
338  if (acl_api_invalid_prefix (&rules[i].src_prefix))
339  return VNET_API_ERROR_INVALID_SRC_ADDRESS;
340  if (acl_api_invalid_prefix (&rules[i].dst_prefix))
341  return VNET_API_ERROR_INVALID_DST_ADDRESS;
342  if (ntohs (rules[i].srcport_or_icmptype_first) >
343  ntohs (rules[i].srcport_or_icmptype_last))
344  return VNET_API_ERROR_INVALID_VALUE_2;
345  if (ntohs (rules[i].dstport_or_icmpcode_first) >
346  ntohs (rules[i].dstport_or_icmpcode_last))
347  return VNET_API_ERROR_INVALID_VALUE_2;
348  }
349 
350  if (*acl_list_index != ~0)
351  {
352  /* They supplied some number, let's see if this ACL exists */
353  if (pool_is_free_index (am->acls, *acl_list_index))
354  {
355  /* tried to replace a non-existent ACL, no point doing anything */
356  clib_warning
357  ("acl-plugin-error: Trying to replace nonexistent ACL %d (tag %s)",
358  *acl_list_index, tag);
359  return VNET_API_ERROR_NO_SUCH_ENTRY;
360  }
361  }
362  if (0 == count)
363  {
364  clib_warning
365  ("acl-plugin-warning: supplied no rules for ACL %d (tag %s)",
366  *acl_list_index, tag);
367  }
368 
369  /* Create and populate the rules */
370  if (count > 0)
371  vec_validate (acl_new_rules, count - 1);
372 
373  for (i = 0; i < count; i++)
374  {
375  r = vec_elt_at_index (acl_new_rules, i);
376  clib_memset (r, 0, sizeof (*r));
377  r->is_permit = rules[i].is_permit;
378  r->is_ipv6 = rules[i].src_prefix.address.af;
379  ip_address_decode (&rules[i].src_prefix.address, &r->src);
380  ip_address_decode (&rules[i].dst_prefix.address, &r->dst);
381  r->src_prefixlen = rules[i].src_prefix.len;
382  r->dst_prefixlen = rules[i].dst_prefix.len;
383  r->proto = rules[i].proto;
384  r->src_port_or_type_first = ntohs (rules[i].srcport_or_icmptype_first);
385  r->src_port_or_type_last = ntohs (rules[i].srcport_or_icmptype_last);
386  r->dst_port_or_code_first = ntohs (rules[i].dstport_or_icmpcode_first);
387  r->dst_port_or_code_last = ntohs (rules[i].dstport_or_icmpcode_last);
388  r->tcp_flags_value = rules[i].tcp_flags_value;
389  r->tcp_flags_mask = rules[i].tcp_flags_mask;
390  }
391 
392  if (~0 == *acl_list_index)
393  {
394  /* Get ACL index */
395  pool_get_aligned (am->acls, a, CLIB_CACHE_LINE_BYTES);
396  clib_memset (a, 0, sizeof (*a));
397  /* Will return the newly allocated ACL index */
398  *acl_list_index = a - am->acls;
399  }
400  else
401  {
402  a = am->acls + *acl_list_index;
403  /* Get rid of the old rules */
404  if (a->rules)
405  vec_free (a->rules);
406  }
407  a->rules = acl_new_rules;
408  memcpy (a->tag, tag, tag_len + 1);
409  if (am->trace_acl > 255)
410  warning_acl_print_acl (am->vlib_main, am, *acl_list_index);
411  if (am->reclassify_sessions)
412  {
413  /* a change in an ACLs if they are applied may mean a new policy epoch */
414  policy_notify_acl_change (am, *acl_list_index);
415  }
416  validate_and_reset_acl_counters (am, *acl_list_index);
417  acl_plugin_lookup_context_notify_acl_change (*acl_list_index);
418  return 0;
419 }
420 
421 static int
422 acl_is_used_by (u32 acl_index, u32 ** foo_index_vec_by_acl)
423 {
424  if (acl_index < vec_len (foo_index_vec_by_acl))
425  {
426  if (vec_len (vec_elt (foo_index_vec_by_acl, acl_index)) > 0)
427  {
428  /* ACL is applied somewhere. */
429  return 1;
430  }
431  }
432  return 0;
433 }
434 
435 static int
436 acl_del_list (u32 acl_list_index)
437 {
438  acl_main_t *am = &acl_main;
439  acl_list_t *a;
440  if (pool_is_free_index (am->acls, acl_list_index))
441  {
442  return VNET_API_ERROR_NO_SUCH_ENTRY;
443  }
444  if (acl_is_used_by (acl_list_index, am->input_sw_if_index_vec_by_acl))
445  return VNET_API_ERROR_ACL_IN_USE_INBOUND;
446  if (acl_is_used_by (acl_list_index, am->output_sw_if_index_vec_by_acl))
447  return VNET_API_ERROR_ACL_IN_USE_OUTBOUND;
448  /* lookup contexts cover other cases, not just inbound/outbound, so check that */
449  if (acl_is_used_by (acl_list_index, am->lc_index_vec_by_acl))
450  return VNET_API_ERROR_ACL_IN_USE_BY_LOOKUP_CONTEXT;
451 
452  /* now we can delete the ACL itself */
453  a = pool_elt_at_index (am->acls, acl_list_index);
454  if (a->rules)
455  vec_free (a->rules);
456  pool_put (am->acls, a);
457  /* acl_list_index is now free, notify the lookup contexts */
458  acl_plugin_lookup_context_notify_acl_change (acl_list_index);
459  return 0;
460 }
461 
462 static int
463 count_skip (u8 * p, u32 size)
464 {
465  u64 *p64 = (u64 *) p;
466  /* Be tolerant to null pointer */
467  if (0 == p)
468  return 0;
469 
470  while ((0ULL == *p64) && ((u8 *) p64 - p) < size)
471  {
472  p64++;
473  }
474  return (p64 - (u64 *) p) / 2;
475 }
476 
477 static int
478 acl_classify_add_del_table_small (vnet_classify_main_t * cm, u8 * mask,
479  u32 mask_len, u32 next_table_index,
480  u32 miss_next_index, u32 * table_index,
481  int is_add)
482 {
483  u32 nbuckets = 32;
484  u32 memory_size = 2 << 22;
485  u32 skip = count_skip (mask, mask_len);
486  u32 match = (mask_len / 16) - skip;
487  u8 *skip_mask_ptr = mask + 16 * skip;
488  u32 current_data_flag = 0;
489  int current_data_offset = 0;
490 
491  if (0 == match)
492  match = 1;
493 
494  int ret = vnet_classify_add_del_table (cm, skip_mask_ptr, nbuckets,
495  memory_size, skip, match,
496  next_table_index, miss_next_index,
497  table_index, current_data_flag,
498  current_data_offset, is_add,
499  1 /* delete_chain */ );
500  return ret;
501 }
502 
503 static int
504 intf_has_etype_whitelist (acl_main_t * am, u32 sw_if_index, int is_input)
505 {
506  u16 **v = is_input
507  ? am->input_etype_whitelist_by_sw_if_index
508  : am->output_etype_whitelist_by_sw_if_index;
509  u16 *whitelist = (vec_len (v) > sw_if_index) ? vec_elt (v, sw_if_index) : 0;
510  return vec_len (whitelist) > 0;
511 }
512 
513 static void
514 acl_clear_sessions (acl_main_t * am, u32 sw_if_index)
515 {
516  vlib_process_signal_event (am->vlib_main, am->fa_cleaner_node_index,
517  ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX,
518  sw_if_index);
519 }
520 
521 
522 static int
523 acl_interface_in_enable_disable (acl_main_t * am, u32 sw_if_index,
524  int enable_disable)
525 {
526  int rv = 0;
527 
528  /* Utterly wrong? */
529  if (pool_is_free_index (am->vnet_main->interface_main.sw_interfaces,
530  sw_if_index))
531  return VNET_API_ERROR_INVALID_SW_IF_INDEX;
532 
533  if (clib_bitmap_get (am->in_acl_on_sw_if_index, sw_if_index) ==
534  enable_disable)
535  return 0;
536 
537  acl_fa_enable_disable (sw_if_index, 1, enable_disable);
538 
539  rv = vnet_l2_feature_enable_disable ("l2-input-ip4", "acl-plugin-in-ip4-l2",
540  sw_if_index, enable_disable, 0, 0);
541  if (rv)
542  clib_error ("Could not enable on input");
543  rv = vnet_l2_feature_enable_disable ("l2-input-ip6", "acl-plugin-in-ip6-l2",
544  sw_if_index, enable_disable, 0, 0);
545  if (rv)
546  clib_error ("Could not enable on input");
547 
548  if (intf_has_etype_whitelist (am, sw_if_index, 1))
549  vnet_l2_feature_enable_disable ("l2-input-nonip",
550  "acl-plugin-in-nonip-l2", sw_if_index,
551  enable_disable, 0, 0);
552  am->in_acl_on_sw_if_index =
553  clib_bitmap_set (am->in_acl_on_sw_if_index, sw_if_index, enable_disable);
554 
555  return rv;
556 }
557 
558 static int
559 acl_interface_out_enable_disable (acl_main_t * am, u32 sw_if_index,
560  int enable_disable)
561 {
562  int rv = 0;
563 
564  /* Utterly wrong? */
565  if (pool_is_free_index (am->vnet_main->interface_main.sw_interfaces,
566  sw_if_index))
567  return VNET_API_ERROR_INVALID_SW_IF_INDEX;
568 
569  if (clib_bitmap_get (am->out_acl_on_sw_if_index, sw_if_index) ==
570  enable_disable)
571  return 0;
572 
573  acl_fa_enable_disable (sw_if_index, 0, enable_disable);
574 
575  rv =
576  vnet_l2_feature_enable_disable ("l2-output-ip4", "acl-plugin-out-ip4-l2",
577  sw_if_index, enable_disable, 0, 0);
578  if (rv)
579  clib_error ("Could not enable on output");
580  rv =
581  vnet_l2_feature_enable_disable ("l2-output-ip6", "acl-plugin-out-ip6-l2",
582  sw_if_index, enable_disable, 0, 0);
583  if (rv)
584  clib_error ("Could not enable on output");
585  if (intf_has_etype_whitelist (am, sw_if_index, 0))
586  vnet_l2_feature_enable_disable ("l2-output-nonip",
587  "acl-plugin-out-nonip-l2", sw_if_index,
588  enable_disable, 0, 0);
589  am->out_acl_on_sw_if_index =
590  clib_bitmap_set (am->out_acl_on_sw_if_index, sw_if_index, enable_disable);
591 
592  return rv;
593 }
594 
595 static int
596 acl_stats_intf_counters_enable_disable (acl_main_t * am, int enable_disable)
597 {
598  int rv = 0;
599 
600  am->interface_acl_counters_enabled = enable_disable;
601 
602  return rv;
603 }
604 
605 static int
606 acl_interface_inout_enable_disable (acl_main_t * am, u32 sw_if_index,
607  int is_input, int enable_disable)
608 {
609  if (is_input)
610  return acl_interface_in_enable_disable (am, sw_if_index, enable_disable);
611  else
612  return acl_interface_out_enable_disable (am, sw_if_index, enable_disable);
613 }
614 
615 static int
616 acl_is_not_defined (acl_main_t * am, u32 acl_list_index)
617 {
618  return (pool_is_free_index (am->acls, acl_list_index));
619 }
620 
621 static int
622 acl_interface_set_inout_acl_list (acl_main_t * am, u32 sw_if_index,
623  u8 is_input, u32 * vec_acl_list_index,
624  int *may_clear_sessions)
625 {
626  u32 *pacln;
627  uword *seen_acl_bitmap = 0;
628  uword *old_seen_acl_bitmap = 0;
629  uword *change_acl_bitmap = 0;
630  int acln;
631  int rv = 0;
632 
633 
634  if (am->trace_acl > 255)
635  clib_warning
636  ("API dbg: acl_interface_set_inout_acl_list: sw_if_index %d is_input %d acl_vec: [%U]",
637  sw_if_index, is_input, format_vec32, vec_acl_list_index, "%d");
638 
639  vec_foreach (pacln, vec_acl_list_index)
640  {
641  if (acl_is_not_defined (am, *pacln))
642  {
643  /* ACL is not defined. Can not apply */
644  clib_warning ("ERROR: ACL %d not defined", *pacln);
645  rv = VNET_API_ERROR_NO_SUCH_ENTRY;
646  goto done;
647  }
648  if (clib_bitmap_get (seen_acl_bitmap, *pacln))
649  {
650  /* ACL being applied twice within the list. error. */
651  clib_warning ("ERROR: ACL %d being applied twice", *pacln);
652  rv = VNET_API_ERROR_ENTRY_ALREADY_EXISTS;
653  goto done;
654  }
655  seen_acl_bitmap = clib_bitmap_set (seen_acl_bitmap, *pacln, 1);
656  }
657 
658 
659  u32 **pinout_lc_index_by_sw_if_index =
660  is_input ? &am->input_lc_index_by_sw_if_index : &am->
661  output_lc_index_by_sw_if_index;
662 
663  u32 ***pinout_acl_vec_by_sw_if_index =
664  is_input ? &am->input_acl_vec_by_sw_if_index : &am->
665  output_acl_vec_by_sw_if_index;
666 
667  u32 ***pinout_sw_if_index_vec_by_acl =
668  is_input ? &am->input_sw_if_index_vec_by_acl : &am->
669  output_sw_if_index_vec_by_acl;
670 
671  vec_validate ((*pinout_acl_vec_by_sw_if_index), sw_if_index);
672 
673  clib_bitmap_validate (old_seen_acl_bitmap, 1);
674 
675  vec_foreach (pacln, (*pinout_acl_vec_by_sw_if_index)[sw_if_index])
676  {
677  old_seen_acl_bitmap = clib_bitmap_set (old_seen_acl_bitmap, *pacln, 1);
678  }
679  change_acl_bitmap =
680  clib_bitmap_dup_xor (old_seen_acl_bitmap, seen_acl_bitmap);
681 
682  if (am->trace_acl > 255)
683  clib_warning ("bitmaps: old seen %U new seen %U changed %U",
684  format_bitmap_hex, old_seen_acl_bitmap, format_bitmap_hex,
685  seen_acl_bitmap, format_bitmap_hex, change_acl_bitmap);
686 
687 /* *INDENT-OFF* */
688  clib_bitmap_foreach (acln, change_acl_bitmap) {
689  if (clib_bitmap_get(old_seen_acl_bitmap, acln)) {
690  /* ACL is being removed. */
691  if (acln < vec_len((*pinout_sw_if_index_vec_by_acl))) {
692  int index = vec_search((*pinout_sw_if_index_vec_by_acl)[acln], sw_if_index);
693  vec_del1((*pinout_sw_if_index_vec_by_acl)[acln], index);
694  }
695  } else {
696  /* ACL is being added. */
697  vec_validate((*pinout_sw_if_index_vec_by_acl), acln);
698  vec_add1((*pinout_sw_if_index_vec_by_acl)[acln], sw_if_index);
699  }
700  }
701 /* *INDENT-ON* */
702 
703  vec_free ((*pinout_acl_vec_by_sw_if_index)[sw_if_index]);
704  (*pinout_acl_vec_by_sw_if_index)[sw_if_index] =
705  vec_dup (vec_acl_list_index);
706 
707  if (am->reclassify_sessions)
708  {
709  /* re-applying ACLs means a new policy epoch */
710  increment_policy_epoch (am, sw_if_index, is_input);
711  }
712  else
713  {
714  /* if no commonalities between the ACL# - then we should definitely clear the sessions */
715  if (may_clear_sessions && *may_clear_sessions
716  && !clib_bitmap_is_zero (change_acl_bitmap))
717  {
718  acl_clear_sessions (am, sw_if_index);
719  *may_clear_sessions = 0;
720  }
721  }
722 
723  /*
724  * prepare or delete the lookup context if necessary, and if context exists, set ACL list
725  */
726  vec_validate_init_empty ((*pinout_lc_index_by_sw_if_index), sw_if_index,
727  ~0);
728  if (vec_len (vec_acl_list_index) > 0)
729  {
730  u32 lc_index = (*pinout_lc_index_by_sw_if_index)[sw_if_index];
731  if (~0 == lc_index)
732  {
733  lc_index =
734  acl_plugin.get_lookup_context_index (am->interface_acl_user_id,
735  sw_if_index, is_input);
736  (*pinout_lc_index_by_sw_if_index)[sw_if_index] = lc_index;
737  }
738  acl_plugin.set_acl_vec_for_context (lc_index, vec_acl_list_index);
739  }
740  else
741  {
742  if (~0 != (*pinout_lc_index_by_sw_if_index)[sw_if_index])
743  {
744  acl_plugin.
745  put_lookup_context_index ((*pinout_lc_index_by_sw_if_index)
746  [sw_if_index]);
747  (*pinout_lc_index_by_sw_if_index)[sw_if_index] = ~0;
748  }
749  }
750  /* ensure ACL processing is enabled/disabled as needed */
751  acl_interface_inout_enable_disable (am, sw_if_index, is_input,
752  vec_len (vec_acl_list_index) > 0);
753 
754 done:
755  clib_bitmap_free (change_acl_bitmap);
756  clib_bitmap_free (seen_acl_bitmap);
757  clib_bitmap_free (old_seen_acl_bitmap);
758  return rv;
759 }
760 
761 static void
762 acl_interface_reset_inout_acls (u32 sw_if_index, u8 is_input,
763  int *may_clear_sessions)
764 {
765  acl_main_t *am = &acl_main;
766  acl_interface_set_inout_acl_list (am, sw_if_index, is_input, 0,
767  may_clear_sessions);
768 }
769 
770 static int
771 acl_interface_add_del_inout_acl (u32 sw_if_index, u8 is_add, u8 is_input,
772  u32 acl_list_index)
773 {
774 
775  acl_main_t *am = &acl_main;
776  u32 *acl_vec = 0;
777  int may_clear_sessions = 1;
778 
779  int error_already_applied = is_input ? VNET_API_ERROR_ACL_IN_USE_INBOUND
780  : VNET_API_ERROR_ACL_IN_USE_OUTBOUND;
781 
782  u32 ***pinout_acl_vec_by_sw_if_index =
783  is_input ? &am->input_acl_vec_by_sw_if_index : &am->
784  output_acl_vec_by_sw_if_index;
785  int rv = 0;
786  if (is_add)
787  {
788  vec_validate ((*pinout_acl_vec_by_sw_if_index), sw_if_index);
789  u32 index = vec_search ((*pinout_acl_vec_by_sw_if_index)[sw_if_index],
790  acl_list_index);
791 
792  if (~0 != index)
793  {
794  rv = error_already_applied;
795  goto done;
796  }
797 
798  acl_vec = vec_dup ((*pinout_acl_vec_by_sw_if_index)[sw_if_index]);
799  vec_add1 (acl_vec, acl_list_index);
800  }
801  else
802  {
803  if (sw_if_index >= vec_len (*pinout_acl_vec_by_sw_if_index))
804  {
805  rv = VNET_API_ERROR_NO_SUCH_ENTRY;
806  goto done;
807  }
808 
809  u32 index = vec_search ((*pinout_acl_vec_by_sw_if_index)[sw_if_index],
810  acl_list_index);
811 
812  if (~0 == index)
813  {
814  rv = VNET_API_ERROR_NO_SUCH_ENTRY;
815  goto done;
816  }
817 
818  acl_vec = vec_dup ((*pinout_acl_vec_by_sw_if_index)[sw_if_index]);
819  vec_del1 (acl_vec, index);
820  }
821 
822  rv = acl_interface_set_inout_acl_list (am, sw_if_index, is_input, acl_vec,
823  &may_clear_sessions);
824 done:
825  vec_free (acl_vec);
826  return rv;
827 }
828 
829 static int
830 acl_set_etype_whitelists (acl_main_t * am, u32 sw_if_index, u16 * vec_in,
831  u16 * vec_out)
832 {
833  vec_validate (am->input_etype_whitelist_by_sw_if_index, sw_if_index);
834  vec_validate (am->output_etype_whitelist_by_sw_if_index, sw_if_index);
835 
836  vec_free (am->input_etype_whitelist_by_sw_if_index[sw_if_index]);
837  vec_free (am->output_etype_whitelist_by_sw_if_index[sw_if_index]);
838 
839  am->input_etype_whitelist_by_sw_if_index[sw_if_index] = vec_in;
840  am->output_etype_whitelist_by_sw_if_index[sw_if_index] = vec_out;
841 
842  /*
843  * if there are already inbound/outbound ACLs applied, toggle the
844  * enable/disable - this will recreate the necessary tables.
845  */
846 
847  if (vec_len (am->input_acl_vec_by_sw_if_index) > sw_if_index)
848  {
849  if (vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]) > 0)
850  {
851  acl_interface_in_enable_disable (am, sw_if_index, 0);
852  acl_interface_in_enable_disable (am, sw_if_index, 1);
853  }
854  }
855  if (vec_len (am->output_acl_vec_by_sw_if_index) > sw_if_index)
856  {
857  if (vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]) > 0)
858  {
859  acl_interface_out_enable_disable (am, sw_if_index, 0);
860  acl_interface_out_enable_disable (am, sw_if_index, 1);
861  }
862  }
863  return 0;
864 }
865 
866 
867 typedef struct
868 {
869  u8 is_ipv6;
870  u8 has_egress;
871  u8 mac_mask[6];
872  u8 prefix_len;
873  u32 count;
874  u32 table_index;
875  u32 arp_table_index;
876  u32 dot1q_table_index;
877  u32 dot1ad_table_index;
878  u32 arp_dot1q_table_index;
879  u32 arp_dot1ad_table_index;
880  /* egress tables */
881  u32 out_table_index;
882  u32 out_arp_table_index;
883  u32 out_dot1q_table_index;
884  u32 out_dot1ad_table_index;
885  u32 out_arp_dot1q_table_index;
886  u32 out_arp_dot1ad_table_index;
887 } macip_match_type_t;
888 
889 static u32
890 macip_find_match_type (macip_match_type_t * mv, u8 * mac_mask, u8 prefix_len,
891  u8 is_ipv6)
892 {
893  u32 i;
894  if (mv)
895  {
896  for (i = 0; i < vec_len (mv); i++)
897  {
898  if ((mv[i].prefix_len == prefix_len) && (mv[i].is_ipv6 == is_ipv6)
899  && (0 == memcmp (mv[i].mac_mask, mac_mask, 6)))
900  {
901  return i;
902  }
903  }
904  }
905  return ~0;
906 }
907 
908 
909 /* Get metric used to sort match types.
910  The more specific and the more often seen - the bigger the metric */
911 static int
912 match_type_metric (macip_match_type_t * m)
913 {
914  unsigned int mac_bits_set = 0;
915  unsigned int mac_byte;
916  int i;
917  for (i = 0; i < 6; i++)
918  {
919  mac_byte = m->mac_mask[i];
920  for (; mac_byte; mac_byte >>= 1)
921  mac_bits_set += mac_byte & 1;
922  }
923  /*
924  * Attempt to place the more specific and the more used rules on top.
925  * There are obvious caveat corner cases to this, but they do not
926  * seem to be sensible in real world (e.g. specific IPv4 with wildcard MAC
927  * going with a wildcard IPv4 with a specific MAC).
928  */
929  return m->prefix_len + mac_bits_set + m->is_ipv6 + 10 * m->count;
930 }
931 
932 static int
933 match_type_compare (macip_match_type_t * m1, macip_match_type_t * m2)
934 {
935  /* Ascending sort based on the metric values */
936  return match_type_metric (m1) - match_type_metric (m2);
937 }
938 
939 /* Get the offset of L3 source within ethernet packet */
940 static int
941 get_l3_src_offset (int is6)
942 {
943  if (is6)
944  return (sizeof (ethernet_header_t) +
945  offsetof (ip6_header_t, src_address));
946  else
947  return (sizeof (ethernet_header_t) +
948  offsetof (ip4_header_t, src_address));
949 }
950 
951 static int
952 get_l3_dst_offset (int is6)
953 {
954  if (is6)
955  return (sizeof (ethernet_header_t) +
956  offsetof (ip6_header_t, dst_address));
957  else
958  return (sizeof (ethernet_header_t) +
959  offsetof (ip4_header_t, dst_address));
960 }
961 
962 /*
963  * return if the is_permit value also requires to create the egress tables
964  * For backwards compatibility, we keep the is_permit = 1 to only
965  * create the ingress tables, and the new value of 3 will also
966  * create the egress tables based on destination.
967  */
968 static int
969 macip_permit_also_egress (u8 is_permit)
970 {
971  return (is_permit == 3);
972 }
973 
974 static int
975 macip_create_classify_tables (acl_main_t * am, u32 macip_acl_index)
976 {
977  macip_match_type_t *mvec = NULL;
978  macip_match_type_t *mt;
979  macip_acl_list_t *a = pool_elt_at_index (am->macip_acls, macip_acl_index);
980  int i;
981  u32 match_type_index;
982  u32 last_table;
983  u32 out_last_table;
984  u8 mask[5 * 16];
985  vnet_classify_main_t *cm = &vnet_classify_main;
986 
987  /* Count the number of different types of rules */
988  for (i = 0; i < a->count; i++)
989  {
990  if (~0 ==
991  (match_type_index =
992  macip_find_match_type (mvec, a->rules[i].src_mac_mask,
993  a->rules[i].src_prefixlen,
994  a->rules[i].is_ipv6)))
995  {
996  match_type_index = vec_len (mvec);
997  vec_validate (mvec, match_type_index);
998  memcpy (mvec[match_type_index].mac_mask,
999  a->rules[i].src_mac_mask, 6);
1000  mvec[match_type_index].prefix_len = a->rules[i].src_prefixlen;
1001  mvec[match_type_index].is_ipv6 = a->rules[i].is_ipv6;
1002  mvec[match_type_index].has_egress = 0;
1003  mvec[match_type_index].table_index = ~0;
1004  mvec[match_type_index].arp_table_index = ~0;
1005  mvec[match_type_index].dot1q_table_index = ~0;
1006  mvec[match_type_index].dot1ad_table_index = ~0;
1007  mvec[match_type_index].arp_dot1q_table_index = ~0;
1008  mvec[match_type_index].arp_dot1ad_table_index = ~0;
1009  mvec[match_type_index].out_table_index = ~0;
1010  mvec[match_type_index].out_arp_table_index = ~0;
1011  mvec[match_type_index].out_dot1q_table_index = ~0;
1012  mvec[match_type_index].out_dot1ad_table_index = ~0;
1013  mvec[match_type_index].out_arp_dot1q_table_index = ~0;
1014  mvec[match_type_index].out_arp_dot1ad_table_index = ~0;
1015  }
1016  mvec[match_type_index].count++;
1017  mvec[match_type_index].has_egress |=
1018  macip_permit_also_egress (a->rules[i].is_permit);
1019  }
1020  /* Put the most frequently used tables last in the list so we can create classifier tables in reverse order */
1021  vec_sort_with_function (mvec, match_type_compare);
1022  /* Create the classifier tables */
1023  last_table = ~0;
1024  out_last_table = ~0;
1025  /* First add ARP tables */
1026  vec_foreach (mt, mvec)
1027  {
1028  int mask_len;
1029  int is6 = mt->is_ipv6;
1030  int tags;
1031  u32 *last_tag_table;
1032  u32 *out_last_tag_table;
1033  u32 l3_offset;
1034 
1035  if (!is6)
1036  {
1037  /*
1038  0 1 2 3
1039  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1040  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1041  | Destination Address |
1042  + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1043  | | |
1044  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
1045  | Source Address |
1046  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1047  | EtherType | Hardware Type |
1048  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1049  | Protocol Type | Hw addr len | Proto addr len|
1050  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1051  | Opcode | |
1052  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
1053  | Sender Hardware Address |
1054  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1055  | Sender Protocol Address |
1056  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1057  | Target Hardware Address |
1058  + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1059  | | TargetProtocolAddress |
1060  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1061  | |
1062  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1063  */
1064  for (tags = 2; tags >= 0; tags--)
1065  {
1066  clib_memset (mask, 0, sizeof (mask));
1067  /* source MAC address */
1068  memcpy (&mask[6], mt->mac_mask, 6);
1069 
1070  switch (tags)
1071  {
1072  case 0:
1073  default:
1074  clib_memset (&mask[12], 0xff, 2); /* ethernet protocol */
1075  l3_offset = 14;
1076  last_tag_table = &mt->arp_table_index;
1077  break;
1078  case 1:
1079  clib_memset (&mask[12], 0xff, 2); /* VLAN tag1 */
1080  clib_memset (&mask[16], 0xff, 2); /* ethernet protocol */
1081  l3_offset = 18;
1082  last_tag_table = &mt->arp_dot1q_table_index;
1083  break;
1084  case 2:
1085  clib_memset (&mask[12], 0xff, 2); /* VLAN tag1 */
1086  clib_memset (&mask[16], 0xff, 2); /* VLAN tag2 */
1087  clib_memset (&mask[20], 0xff, 2); /* ethernet protocol */
1088  l3_offset = 22;
1089  last_tag_table = &mt->arp_dot1ad_table_index;
1090  break;
1091  }
1092 
1093  /* sender hardware address within ARP */
1094  memcpy (&mask[l3_offset + 8], mt->mac_mask, 6);
1095  /* sender protocol address within ARP */
1096  for (i = 0; i < (mt->prefix_len / 8); i++)
1097  mask[l3_offset + 14 + i] = 0xff;
1098  if (mt->prefix_len % 8)
1099  mask[l3_offset + 14 + (mt->prefix_len / 8)] =
1100  0xff - ((1 << (8 - mt->prefix_len % 8)) - 1);
1101 
1102  mask_len = ((l3_offset + 14 + ((mt->prefix_len + 7) / 8) +
1103  (sizeof (u32x4) -
1104  1)) / sizeof (u32x4)) * sizeof (u32x4);
1105  acl_classify_add_del_table_small (cm, mask, mask_len, last_table,
1106  (~0 == last_table) ? 0 : ~0,
1107  last_tag_table, 1);
1108  last_table = *last_tag_table;
1109  if (mt->has_egress)
1110  {
1111  /* egress ARP table */
1112  clib_memset (mask, 0, sizeof (mask));
1113 
1114  switch (tags)
1115  {
1116  case 0:
1117  default:
1118  clib_memset (&mask[12], 0xff, 2); /* ethernet protocol */
1119  l3_offset = 14;
1120  out_last_tag_table = &mt->out_arp_table_index;
1121  break;
1122  case 1:
1123  clib_memset (&mask[12], 0xff, 2); /* VLAN tag1 */
1124  clib_memset (&mask[16], 0xff, 2); /* ethernet protocol */
1125  l3_offset = 18;
1126  out_last_tag_table = &mt->out_arp_dot1q_table_index;
1127  break;
1128  case 2:
1129  clib_memset (&mask[12], 0xff, 2); /* VLAN tag1 */
1130  clib_memset (&mask[16], 0xff, 2); /* VLAN tag2 */
1131  clib_memset (&mask[20], 0xff, 2); /* ethernet protocol */
1132  l3_offset = 22;
1133  out_last_tag_table = &mt->out_arp_dot1ad_table_index;
1134  break;
1135  }
1136 
1137  /* AYXX: FIXME here - can we tighten the ARP-related table more ? */
1138  /* mask captures just the destination and the ethertype */
1139  mask_len = ((l3_offset +
1140  (sizeof (u32x4) -
1141  1)) / sizeof (u32x4)) * sizeof (u32x4);
1142  acl_classify_add_del_table_small (cm, mask, mask_len,
1143  out_last_table,
1144  (~0 ==
1145  out_last_table) ? 0 : ~0,
1146  out_last_tag_table, 1);
1147  out_last_table = *out_last_tag_table;
1148  }
1149  }
1150  }
1151  }
1152  /* Now add IP[46] tables */
1153  vec_foreach (mt, mvec)
1154  {
1155  int mask_len;
1156  int is6 = mt->is_ipv6;
1157  int l3_src_offs;
1158  int l3_dst_offs;
1159  int tags;
1160  u32 *last_tag_table;
1161  u32 *out_last_tag_table;
1162 
1163  /*
1164  * create chained tables for VLAN (no-tags, dot1q and dot1ad) packets
1165  */
1166  for (tags = 2; tags >= 0; tags--)
1167  {
1168  clib_memset (mask, 0, sizeof (mask));
1169  memcpy (&mask[6], mt->mac_mask, 6);
1170  l3_src_offs = tags * 4 + get_l3_src_offset (is6);
1171  switch (tags)
1172  {
1173  case 0:
1174  default:
1175  clib_memset (&mask[12], 0xff, 2); /* ethernet protocol */
1176  last_tag_table = &mt->table_index;
1177  break;
1178  case 1:
1179  clib_memset (&mask[12], 0xff, 2); /* VLAN tag1 */
1180  clib_memset (&mask[16], 0xff, 2); /* ethernet protocol */
1181  last_tag_table = &mt->dot1q_table_index;
1182  break;
1183  case 2:
1184  clib_memset (&mask[12], 0xff, 2); /* VLAN tag1 */
1185  clib_memset (&mask[16], 0xff, 2); /* VLAN tag2 */
1186  clib_memset (&mask[20], 0xff, 2); /* ethernet protocol */
1187  last_tag_table = &mt->dot1ad_table_index;
1188  break;
1189  }
1190  for (i = 0; i < (mt->prefix_len / 8); i++)
1191  {
1192  mask[l3_src_offs + i] = 0xff;
1193  }
1194  if (mt->prefix_len % 8)
1195  {
1196  mask[l3_src_offs + (mt->prefix_len / 8)] =
1197  0xff - ((1 << (8 - mt->prefix_len % 8)) - 1);
1198  }
1199  /*
1200  * Round-up the number of bytes needed to store the prefix,
1201  * and round up the number of vectors too
1202  */
1203  mask_len = ((l3_src_offs + ((mt->prefix_len + 7) / 8) +
1204  (sizeof (u32x4) - 1)) / sizeof (u32x4)) * sizeof (u32x4);
1205  acl_classify_add_del_table_small (cm, mask, mask_len, last_table,
1206  (~0 == last_table) ? 0 : ~0,
1207  last_tag_table, 1);
1208  last_table = *last_tag_table;
1209  }
1210  if (mt->has_egress)
1211  {
1212  for (tags = 2; tags >= 0; tags--)
1213  {
1214  clib_memset (mask, 0, sizeof (mask));
1215  /* MAC destination */
1216  memcpy (&mask[0], mt->mac_mask, 6);
1217  l3_dst_offs = tags * 4 + get_l3_dst_offset (is6);
1218  switch (tags)
1219  {
1220  case 0:
1221  default:
1222  clib_memset (&mask[12], 0xff, 2); /* ethernet protocol */
1223  out_last_tag_table = &mt->out_table_index;
1224  break;
1225  case 1:
1226  clib_memset (&mask[12], 0xff, 2); /* VLAN tag1 */
1227  clib_memset (&mask[16], 0xff, 2); /* ethernet protocol */
1228  out_last_tag_table = &mt->out_dot1q_table_index;
1229  break;
1230  case 2:
1231  clib_memset (&mask[12], 0xff, 2); /* VLAN tag1 */
1232  clib_memset (&mask[16], 0xff, 2); /* VLAN tag2 */
1233  clib_memset (&mask[20], 0xff, 2); /* ethernet protocol */
1234  out_last_tag_table = &mt->out_dot1ad_table_index;
1235  break;
1236  }
1237  for (i = 0; i < (mt->prefix_len / 8); i++)
1238  {
1239  mask[l3_dst_offs + i] = 0xff;
1240  }
1241  if (mt->prefix_len % 8)
1242  {
1243  mask[l3_dst_offs + (mt->prefix_len / 8)] =
1244  0xff - ((1 << (8 - mt->prefix_len % 8)) - 1);
1245  }
1246  /*
1247  * Round-up the number of bytes needed to store the prefix,
1248  * and round up the number of vectors too
1249  */
1250  mask_len = ((l3_dst_offs + ((mt->prefix_len + 7) / 8) +
1251  (sizeof (u32x4) -
1252  1)) / sizeof (u32x4)) * sizeof (u32x4);
1253  acl_classify_add_del_table_small (cm, mask, mask_len,
1254  out_last_table,
1255  (~0 == out_last_table) ? 0 : ~0,
1256  out_last_tag_table, 1);
1257  out_last_table = *out_last_tag_table;
1258  }
1259  }
1260  }
1261  a->ip4_table_index = last_table;
1262  a->ip6_table_index = last_table;
1263  a->l2_table_index = last_table;
1264 
1265  a->out_ip4_table_index = out_last_table;
1266  a->out_ip6_table_index = out_last_table;
1267  a->out_l2_table_index = out_last_table;
1268 
1269  /* Populate the classifier tables with rules from the MACIP ACL */
1270  for (i = 0; i < a->count; i++)
1271  {
1272  u32 action = 0;
1273  u32 metadata = 0;
1274  int is6 = a->rules[i].is_ipv6;
1275  int l3_src_offs;
1276  int l3_dst_offs;
1277  u32 tag_table;
1278  int tags, eth;
1279 
1280  match_type_index =
1281  macip_find_match_type (mvec, a->rules[i].src_mac_mask,
1282  a->rules[i].src_prefixlen,
1283  a->rules[i].is_ipv6);
1284  ASSERT (match_type_index != ~0);
1285 
1286  for (tags = 2; tags >= 0; tags--)
1287  {
1288  clib_memset (mask, 0, sizeof (mask));
1289  l3_src_offs = tags * 4 + get_l3_src_offset (is6);
1290  memcpy (&mask[6], a->rules[i].src_mac, 6);
1291  switch (tags)
1292  {
1293  case 0:
1294  default:
1295  tag_table = mvec[match_type_index].table_index;
1296  eth = 12;
1297  break;
1298  case 1:
1299  tag_table = mvec[match_type_index].dot1q_table_index;
1300  mask[12] = 0x81;
1301  mask[13] = 0x00;
1302  eth = 16;
1303  break;
1304  case 2:
1305  tag_table = mvec[match_type_index].dot1ad_table_index;
1306  mask[12] = 0x88;
1307  mask[13] = 0xa8;
1308  mask[16] = 0x81;
1309  mask[17] = 0x00;
1310  eth = 20;
1311  break;
1312  }
1313  if (is6)
1314  {
1315  memcpy (&mask[l3_src_offs], &a->rules[i].src_ip_addr.ip6, 16);
1316  mask[eth] = 0x86;
1317  mask[eth + 1] = 0xdd;
1318  }
1319  else
1320  {
1321  memcpy (&mask[l3_src_offs], &a->rules[i].src_ip_addr.ip4, 4);
1322  mask[eth] = 0x08;
1323  mask[eth + 1] = 0x00;
1324  }
1325 
1326  /* add session to table mvec[match_type_index].table_index; */
1327  vnet_classify_add_del_session (cm, tag_table,
1328  mask, a->rules[i].is_permit ? ~0 : 0,
1329  i, 0, action, metadata, 1);
1330  clib_memset (&mask[12], 0, sizeof (mask) - 12);
1331  }
1332 
1333  /* add ARP table entry too */
1334  if (!is6 && (mvec[match_type_index].arp_table_index != ~0))
1335  {
1336  clib_memset (mask, 0, sizeof (mask));
1337  memcpy (&mask[6], a->rules[i].src_mac, 6);
1338 
1339  for (tags = 2; tags >= 0; tags--)
1340  {
1341  switch (tags)
1342  {
1343  case 0:
1344  default:
1345  tag_table = mvec[match_type_index].arp_table_index;
1346  mask[12] = 0x08;
1347  mask[13] = 0x06;
1348  l3_src_offs = 14;
1349  break;
1350  case 1:
1351  tag_table = mvec[match_type_index].arp_dot1q_table_index;
1352  mask[12] = 0x81;
1353  mask[13] = 0x00;
1354  mask[16] = 0x08;
1355  mask[17] = 0x06;
1356  l3_src_offs = 18;
1357  break;
1358  case 2:
1359  tag_table = mvec[match_type_index].arp_dot1ad_table_index;
1360  mask[12] = 0x88;
1361  mask[13] = 0xa8;
1362  mask[16] = 0x81;
1363  mask[17] = 0x00;
1364  mask[20] = 0x08;
1365  mask[21] = 0x06;
1366  l3_src_offs = 22;
1367  break;
1368  }
1369 
1370  memcpy (&mask[l3_src_offs + 8], a->rules[i].src_mac, 6);
1371  memcpy (&mask[l3_src_offs + 14], &a->rules[i].src_ip_addr.ip4,
1372  4);
1373  vnet_classify_add_del_session (cm, tag_table, mask,
1374  a->rules[i].is_permit ? ~0 : 0,
1375  i, 0, action, metadata, 1);
1376  }
1377  }
1378  if (macip_permit_also_egress (a->rules[i].is_permit))
1379  {
1380  /* Add the egress entry with destination set */
1381  for (tags = 2; tags >= 0; tags--)
1382  {
1383  clib_memset (mask, 0, sizeof (mask));
1384  l3_dst_offs = tags * 4 + get_l3_dst_offset (is6);
1385  /* src mac in the other direction becomes dst */
1386  memcpy (&mask[0], a->rules[i].src_mac, 6);
1387  switch (tags)
1388  {
1389  case 0:
1390  default:
1391  tag_table = mvec[match_type_index].out_table_index;
1392  eth = 12;
1393  break;
1394  case 1:
1395  tag_table = mvec[match_type_index].out_dot1q_table_index;
1396  mask[12] = 0x81;
1397  mask[13] = 0x00;
1398  eth = 16;
1399  break;
1400  case 2:
1401  tag_table = mvec[match_type_index].out_dot1ad_table_index;
1402  mask[12] = 0x88;
1403  mask[13] = 0xa8;
1404  mask[16] = 0x81;
1405  mask[17] = 0x00;
1406  eth = 20;
1407  break;
1408  }
1409  if (is6)
1410  {
1411  memcpy (&mask[l3_dst_offs], &a->rules[i].src_ip_addr.ip6,
1412  16);
1413  mask[eth] = 0x86;
1414  mask[eth + 1] = 0xdd;
1415  }
1416  else
1417  {
1418  memcpy (&mask[l3_dst_offs], &a->rules[i].src_ip_addr.ip4,
1419  4);
1420  mask[eth] = 0x08;
1421  mask[eth + 1] = 0x00;
1422  }
1423 
1424  /* add session to table mvec[match_type_index].table_index; */
1425  vnet_classify_add_del_session (cm, tag_table,
1426  mask,
1427  a->rules[i].is_permit ? ~0 : 0,
1428  i, 0, action, metadata, 1);
1429  // clib_memset (&mask[12], 0, sizeof (mask) - 12);
1430  }
1431 
1432  /* add ARP table entry too */
1433  if (!is6 && (mvec[match_type_index].out_arp_table_index != ~0))
1434  {
1435  for (tags = 2; tags >= 0; tags--)
1436  {
1437  clib_memset (mask, 0, sizeof (mask));
1438  switch (tags)
1439  {
1440  case 0:
1441  default:
1442  tag_table = mvec[match_type_index].out_arp_table_index;
1443  mask[12] = 0x08;
1444  mask[13] = 0x06;
1445  break;
1446  case 1:
1447  tag_table =
1448  mvec[match_type_index].out_arp_dot1q_table_index;
1449  mask[12] = 0x81;
1450  mask[13] = 0x00;
1451  mask[16] = 0x08;
1452  mask[17] = 0x06;
1453  break;
1454  case 2:
1455  tag_table =
1456  mvec[match_type_index].out_arp_dot1ad_table_index;
1457  mask[12] = 0x88;
1458  mask[13] = 0xa8;
1459  mask[16] = 0x81;
1460  mask[17] = 0x00;
1461  mask[20] = 0x08;
1462  mask[21] = 0x06;
1463  break;
1464  }
1465 
1466  vnet_classify_add_del_session (cm, tag_table,
1467  mask,
1468  a->rules[i].
1469  is_permit ? ~0 : 0, i, 0,
1470  action, metadata, 1);
1471  }
1472  }
1473  }
1474  }
1475  return 0;
1476 }
1477 
1478 static void
1479 macip_destroy_classify_tables (acl_main_t * am, u32 macip_acl_index)
1480 {
1481  vnet_classify_main_t *cm = &vnet_classify_main;
1482  macip_acl_list_t *a = pool_elt_at_index (am->macip_acls, macip_acl_index);
1483 
1484  if (a->ip4_table_index != ~0)
1485  {
1486  acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0,
1487  &a->ip4_table_index, 0);
1488  a->ip4_table_index = ~0;
1489  }
1490  if (a->ip6_table_index != ~0)
1491  {
1492  acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0,
1493  &a->ip6_table_index, 0);
1494  a->ip6_table_index = ~0;
1495  }
1496  if (a->l2_table_index != ~0)
1497  {
1498  acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0, &a->l2_table_index,
1499  0);
1500  a->l2_table_index = ~0;
1501  }
1502  if (a->out_ip4_table_index != ~0)
1503  {
1504  acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0,
1505  &a->out_ip4_table_index, 0);
1506  a->out_ip4_table_index = ~0;
1507  }
1508  if (a->out_ip6_table_index != ~0)
1509  {
1510  acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0,
1511  &a->out_ip6_table_index, 0);
1512  a->out_ip6_table_index = ~0;
1513  }
1514  if (a->out_l2_table_index != ~0)
1515  {
1516  acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0,
1517  &a->out_l2_table_index, 0);
1518  a->out_l2_table_index = ~0;
1519  }
1520 }
1521 
1522 static int
1523 macip_maybe_apply_unapply_classifier_tables (acl_main_t * am, u32 acl_index,
1524  int is_apply)
1525 {
1526  int rv = 0;
1527  int rv0 = 0;
1528  int i;
1529  macip_acl_list_t *a = pool_elt_at_index (am->macip_acls, acl_index);
1530 
1531  for (i = 0; i < vec_len (am->macip_acl_by_sw_if_index); i++)
1532  if (vec_elt (am->macip_acl_by_sw_if_index, i) == acl_index)
1533  {
1534  rv0 = vnet_set_input_acl_intfc (am->vlib_main, i, a->ip4_table_index,
1535  a->ip6_table_index, a->l2_table_index,
1536  is_apply);
1537  /* return the first unhappy outcome but make try to plough through. */
1538  rv = rv || rv0;
1539  rv0 =
1540  vnet_set_output_acl_intfc (am->vlib_main, i, a->out_ip4_table_index,
1541  a->out_ip6_table_index,
1542  a->out_l2_table_index, is_apply);
1543  /* return the first unhappy outcome but make try to plough through. */
1544  rv = rv || rv0;
1545  }
1546  return rv;
1547 }
1548 
1549 static int
1550 macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[],
1551  u32 * acl_list_index, u8 * tag)
1552 {
1553  acl_main_t *am = &acl_main;
1554  macip_acl_list_t *a;
1555  macip_acl_rule_t *r;
1556  macip_acl_rule_t *acl_new_rules = 0;
1557  size_t tag_len;
1558  int i;
1559  int rv = 0;
1560 
1561  tag_len = clib_strnlen ((const char *) tag, sizeof (a->tag));
1562  if (tag_len == sizeof (a->tag))
1563  return VNET_API_ERROR_INVALID_VALUE;
1564 
1565  if (*acl_list_index != ~0)
1566  {
1567  /* They supplied some number, let's see if this MACIP ACL exists */
1568  if (pool_is_free_index (am->macip_acls, *acl_list_index))
1569  {
1570  /* tried to replace a non-existent ACL, no point doing anything */
1571  clib_warning
1572  ("acl-plugin-error: Trying to replace nonexistent MACIP ACL %d (tag %s)",
1573  *acl_list_index, tag);
1574  return VNET_API_ERROR_NO_SUCH_ENTRY;
1575  }
1576  }
1577 
1578  if (0 == count)
1579  {
1580  clib_warning
1581  ("acl-plugin-warning: Trying to create empty MACIP ACL (tag %s)",
1582  tag);
1583  }
1584  /* if replacing the ACL, unapply the classifier tables first - they will be gone.. */
1585  if (~0 != *acl_list_index)
1586  rv = macip_maybe_apply_unapply_classifier_tables (am, *acl_list_index, 0);
1587  /* Create and populate the rules */
1588  if (count > 0)
1589  vec_validate (acl_new_rules, count - 1);
1590 
1591  for (i = 0; i < count; i++)
1592  {
1593  r = &acl_new_rules[i];
1594  r->is_permit = rules[i].is_permit;
1595  r->is_ipv6 = rules[i].src_prefix.address.af;
1596  mac_address_decode (rules[i].src_mac, (mac_address_t *) & r->src_mac);
1597  mac_address_decode (rules[i].src_mac_mask,
1598  (mac_address_t *) & r->src_mac_mask);
1599  ip_address_decode (&rules[i].src_prefix.address, &r->src_ip_addr);
1600  r->src_prefixlen = rules[i].src_prefix.len;
1601  }
1602 
1603  if (~0 == *acl_list_index)
1604  {
1605  /* Get ACL index */
1606  pool_get_aligned (am->macip_acls, a, CLIB_CACHE_LINE_BYTES);
1607  clib_memset (a, 0, sizeof (*a));
1608  /* Will return the newly allocated ACL index */
1609  *acl_list_index = a - am->macip_acls;
1610  }
1611  else
1612  {
1613  a = pool_elt_at_index (am->macip_acls, *acl_list_index);
1614  if (a->rules)
1615  {
1616  vec_free (a->rules);
1617  }
1618  macip_destroy_classify_tables (am, *acl_list_index);
1619  }
1620 
1621  a->rules = acl_new_rules;
1622  a->count = count;
1623  memcpy (a->tag, tag, tag_len + 1);
1624 
1625  /* Create and populate the classifier tables */
1626  macip_create_classify_tables (am, *acl_list_index);
1627  /* If the ACL was already applied somewhere, reapply the newly created tables */
1628  rv = rv
1629  || macip_maybe_apply_unapply_classifier_tables (am, *acl_list_index, 1);
1630  return rv;
1631 }
1632 
1633 /* No check that sw_if_index denotes a valid interface - the callers
1634  * were supposed to validate.
1635  *
1636  * That said, if sw_if_index corresponds to an interface that exists at all,
1637  * this function must return errors accordingly if the ACL is not applied.
1638  */
1639 
1640 static int
1641 macip_acl_interface_del_acl (acl_main_t * am, u32 sw_if_index)
1642 {
1643  int rv;
1644  u32 macip_acl_index;
1645  macip_acl_list_t *a;
1646 
1647  /* The vector is too short - MACIP ACL is not applied */
1648  if (sw_if_index >= vec_len (am->macip_acl_by_sw_if_index))
1649  return VNET_API_ERROR_NO_SUCH_ENTRY;
1650 
1651  macip_acl_index = am->macip_acl_by_sw_if_index[sw_if_index];
1652  /* No point in deleting MACIP ACL which is not applied */
1653  if (~0 == macip_acl_index)
1654  return VNET_API_ERROR_NO_SUCH_ENTRY;
1655 
1656  a = pool_elt_at_index (am->macip_acls, macip_acl_index);
1657  /* remove the classifier tables off the interface L2 ACL */
1658  rv =
1659  vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, a->ip4_table_index,
1660  a->ip6_table_index, a->l2_table_index, 0);
1661  rv |=
1662  vnet_set_output_acl_intfc (am->vlib_main, sw_if_index,
1663  a->out_ip4_table_index, a->out_ip6_table_index,
1664  a->out_l2_table_index, 0);
1665  /* Unset the MACIP ACL index */
1666  am->macip_acl_by_sw_if_index[sw_if_index] = ~0;
1667  /* macip_acl_interface_add_acl did a vec_add1() to this previously, so [sw_if_index] should be valid */
1668  u32 index = vec_search (am->sw_if_index_vec_by_macip_acl[macip_acl_index],
1669  sw_if_index);
1670  if (index != ~0)
1671  vec_del1 (am->sw_if_index_vec_by_macip_acl[macip_acl_index], index);
1672  return rv;
1673 }
1674 
1675 /* No check for validity of sw_if_index - the callers were supposed to validate */
1676 
1677 static int
1678 macip_acl_interface_add_acl (acl_main_t * am, u32 sw_if_index,
1679  u32 macip_acl_index)
1680 {
1681  macip_acl_list_t *a;
1682  int rv;
1683  if (pool_is_free_index (am->macip_acls, macip_acl_index))
1684  {
1685  return VNET_API_ERROR_NO_SUCH_ENTRY;
1686  }
1687  a = pool_elt_at_index (am->macip_acls, macip_acl_index);
1688  vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0);
1689  vec_validate (am->sw_if_index_vec_by_macip_acl, macip_acl_index);
1690  vec_add1 (am->sw_if_index_vec_by_macip_acl[macip_acl_index], sw_if_index);
1691  /* If there already a MACIP ACL applied, unapply it */
1692  if (~0 != am->macip_acl_by_sw_if_index[sw_if_index])
1693  macip_acl_interface_del_acl (am, sw_if_index);
1694  am->macip_acl_by_sw_if_index[sw_if_index] = macip_acl_index;
1695 
1696  /* Apply the classifier tables for L2 ACLs */
1697  rv =
1698  vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, a->ip4_table_index,
1699  a->ip6_table_index, a->l2_table_index, 1);
1700  rv |=
1701  vnet_set_output_acl_intfc (am->vlib_main, sw_if_index,
1702  a->out_ip4_table_index, a->out_ip6_table_index,
1703  a->out_l2_table_index, 1);
1704  return rv;
1705 }
1706 
1707 static int
1708 macip_acl_del_list (u32 acl_list_index)
1709 {
1710  acl_main_t *am = &acl_main;
1711  macip_acl_list_t *a;
1712  int i;
1713  if (pool_is_free_index (am->macip_acls, acl_list_index))
1714  {
1715  return VNET_API_ERROR_NO_SUCH_ENTRY;
1716  }
1717 
1718  /* delete any references to the ACL */
1719  for (i = 0; i < vec_len (am->macip_acl_by_sw_if_index); i++)
1720  {
1721  if (am->macip_acl_by_sw_if_index[i] == acl_list_index)
1722  {
1723  macip_acl_interface_del_acl (am, i);
1724  }
1725  }
1726 
1727  /* Now that classifier tables are detached, clean them up */
1728  macip_destroy_classify_tables (am, acl_list_index);
1729 
1730  /* now we can delete the ACL itself */
1731  a = pool_elt_at_index (am->macip_acls, acl_list_index);
1732  if (a->rules)
1733  {
1734  vec_free (a->rules);
1735  }
1736  pool_put (am->macip_acls, a);
1737  return 0;
1738 }
1739 
1740 
1741 static int
1742 macip_acl_interface_add_del_acl (u32 sw_if_index, u8 is_add,
1743  u32 acl_list_index)
1744 {
1745  acl_main_t *am = &acl_main;
1746  int rv = -1;
1747  if (is_add)
1748  {
1749  rv = macip_acl_interface_add_acl (am, sw_if_index, acl_list_index);
1750  }
1751  else
1752  {
1753  rv = macip_acl_interface_del_acl (am, sw_if_index);
1754  }
1755  return rv;
1756 }
1757 
1758 /*
1759  * If the client does not allocate enough memory for a variable-length
1760  * message, and then proceed to use it as if the full memory allocated,
1761  * absent the check we happily consume that on the VPP side, and go
1762  * along as if nothing happened. However, the resulting
1763  * effects range from just garbage in the API decode
1764  * (because the decoder snoops too far), to potential memory
1765  * corruptions.
1766  *
1767  * This verifies that the actual length of the message is
1768  * at least expected_len, and complains loudly if it is not.
1769  *
1770  * A failing check here is 100% a software bug on the API user side,
1771  * so we might as well yell.
1772  *
1773  */
1774 static int
1775 verify_message_len (void *mp, u64 expected_len, char *where)
1776 {
1777  u32 supplied_len = vl_msg_api_get_msg_length (mp);
1778  if (supplied_len < expected_len)
1779  {
1780  clib_warning ("%s: Supplied message length %d is less than expected %d",
1781  where, supplied_len, expected_len);
1782  return 0;
1783  }
1784  else
1785  {
1786  return 1;
1787  }
1788 }
1789 
1790 /* API message handler */
1791 static void
1792 vl_api_acl_add_replace_t_handler (vl_api_acl_add_replace_t * mp)
1793 {
1794  vl_api_acl_add_replace_reply_t *rmp;
1795  acl_main_t *am = &acl_main;
1796  int rv;
1797  u32 acl_list_index = ntohl (mp->acl_index);
1798  u32 acl_count = ntohl (mp->count);
1799  u64 expected_len = sizeof (*mp) + acl_count * sizeof (mp->r[0]);
1800 
1801  if (verify_message_len (mp, expected_len, "acl_add_replace"))
1802  {
1803  rv = acl_add_list (acl_count, mp->r, &acl_list_index, mp->tag);
1804  }
1805  else
1806  {
1807  rv = VNET_API_ERROR_INVALID_VALUE;
1808  }
1809 
1810  /* *INDENT-OFF* */
1811  REPLY_MACRO2(VL_API_ACL_ADD_REPLACE_REPLY,
1812  ({
1813  rmp->acl_index = htonl(acl_list_index);
1814  }));
1815  /* *INDENT-ON* */
1816 }
1817 
1818 static void
1819 vl_api_acl_del_t_handler (vl_api_acl_del_t * mp)
1820 {
1821  acl_main_t *am = &acl_main;
1822  vl_api_acl_del_reply_t *rmp;
1823  int rv;
1824 
1825  rv = acl_del_list (ntohl (mp->acl_index));
1826 
1827  REPLY_MACRO (VL_API_ACL_DEL_REPLY);
1828 }
1829 
1830 
1831 static void
1832  vl_api_acl_stats_intf_counters_enable_t_handler
1833  (vl_api_acl_stats_intf_counters_enable_t * mp)
1834 {
1835  acl_main_t *am = &acl_main;
1836  vl_api_acl_stats_intf_counters_enable_reply_t *rmp;
1837  int rv;
1838 
1839  rv = acl_stats_intf_counters_enable_disable (am, mp->enable);
1840 
1841  REPLY_MACRO (VL_API_ACL_DEL_REPLY);
1842 }
1843 
1844 
1845 static void
1846 vl_api_acl_interface_add_del_t_handler (vl_api_acl_interface_add_del_t * mp)
1847 {
1848  acl_main_t *am = &acl_main;
1849  vnet_interface_main_t *im = &am->vnet_main->interface_main;
1850  u32 sw_if_index = ntohl (mp->sw_if_index);
1851  vl_api_acl_interface_add_del_reply_t *rmp;
1852  int rv = -1;
1853 
1854  if (pool_is_free_index (im->sw_interfaces, sw_if_index))
1855  rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
1856  else
1857  rv =
1858  acl_interface_add_del_inout_acl (sw_if_index, mp->is_add,
1859  mp->is_input, ntohl (mp->acl_index));
1860 
1861  REPLY_MACRO (VL_API_ACL_INTERFACE_ADD_DEL_REPLY);
1862 }
1863 
1864 static void
1865  vl_api_acl_interface_set_acl_list_t_handler
1866  (vl_api_acl_interface_set_acl_list_t * mp)
1867 {
1868  acl_main_t *am = &acl_main;
1869  vl_api_acl_interface_set_acl_list_reply_t *rmp;
1870  int rv = 0;
1871  int i;
1872  vnet_interface_main_t *im = &am->vnet_main->interface_main;
1873  u32 sw_if_index = ntohl (mp->sw_if_index);
1874 
1875  if (pool_is_free_index (im->sw_interfaces, sw_if_index))
1876  rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
1877  else
1878  {
1879  int may_clear_sessions = 1;
1880  for (i = 0; i < mp->count; i++)
1881  {
1882  if (acl_is_not_defined (am, ntohl (mp->acls[i])))
1883  {
1884  /* ACL does not exist, so we can not apply it */
1885  rv = VNET_API_ERROR_NO_SUCH_ENTRY;
1886  }
1887  }
1888  if (0 == rv)
1889  {
1890  u32 *in_acl_vec = 0;
1891  u32 *out_acl_vec = 0;
1892  for (i = 0; i < mp->count; i++)
1893  if (i < mp->n_input)
1894  vec_add1 (in_acl_vec, clib_net_to_host_u32 (mp->acls[i]));
1895  else
1896  vec_add1 (out_acl_vec, clib_net_to_host_u32 (mp->acls[i]));
1897 
1898  rv =
1899  acl_interface_set_inout_acl_list (am, sw_if_index, 0, out_acl_vec,
1900  &may_clear_sessions);
1901  rv = rv
1902  || acl_interface_set_inout_acl_list (am, sw_if_index, 1,
1903  in_acl_vec,
1904  &may_clear_sessions);
1905  vec_free (in_acl_vec);
1906  vec_free (out_acl_vec);
1907  }
1908  }
1909 
1910  REPLY_MACRO (VL_API_ACL_INTERFACE_SET_ACL_LIST_REPLY);
1911 }
1912 
1913 static void
1914 copy_acl_rule_to_api_rule (vl_api_acl_rule_t * api_rule, acl_rule_t * r)
1915 {
1916  api_rule->is_permit = r->is_permit;
1917  ip_address_encode (&r->src, r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
1918  &api_rule->src_prefix.address);
1919  ip_address_encode (&r->dst, r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
1920  &api_rule->dst_prefix.address);
1921  api_rule->src_prefix.len = r->src_prefixlen;
1922  api_rule->dst_prefix.len = r->dst_prefixlen;
1923  api_rule->proto = r->proto;
1924  api_rule->srcport_or_icmptype_first = htons (r->src_port_or_type_first);
1925  api_rule->srcport_or_icmptype_last = htons (r->src_port_or_type_last);
1926  api_rule->dstport_or_icmpcode_first = htons (r->dst_port_or_code_first);
1927  api_rule->dstport_or_icmpcode_last = htons (r->dst_port_or_code_last);
1928  api_rule->tcp_flags_mask = r->tcp_flags_mask;
1929  api_rule->tcp_flags_value = r->tcp_flags_value;
1930 }
1931 
1932 static void
1933 send_acl_details (acl_main_t * am, vl_api_registration_t * reg,
1934  acl_list_t * acl, u32 context)
1935 {
1936  vl_api_acl_details_t *mp;
1937  vl_api_acl_rule_t *rules;
1938  int i;
1939  acl_rule_t *acl_rules = acl->rules;
1940  int msg_size = sizeof (*mp) + sizeof (mp->r[0]) * vec_len (acl_rules);
1941 
1942  mp = vl_msg_api_alloc (msg_size);
1943  clib_memset (mp, 0, msg_size);
1944  mp->_vl_msg_id = ntohs (VL_API_ACL_DETAILS + am->msg_id_base);
1945 
1946  /* fill in the message */
1947  mp->context = context;
1948  mp->count = htonl (vec_len (acl_rules));
1949  mp->acl_index = htonl (acl - am->acls);
1950  snprintf ((char *) mp->tag, sizeof (mp->tag), "%s", acl->tag);
1951  // clib_memcpy (mp->r, acl->rules, acl->count * sizeof(acl->rules[0]));
1952  rules = mp->r;
1953  for (i = 0; i < vec_len (acl_rules); i++)
1954  {
1955  copy_acl_rule_to_api_rule (&rules[i], &acl_rules[i]);
1956  }
1957 
1958  vl_api_send_msg (reg, (u8 *) mp);
1959 }
1960 
1961 
1962 static void
1963 vl_api_acl_dump_t_handler (vl_api_acl_dump_t * mp)
1964 {
1965  acl_main_t *am = &acl_main;
1966  u32 acl_index;
1967  acl_list_t *acl;
1968  int rv = -1;
1969  vl_api_registration_t *reg;
1970 
1971  reg = vl_api_client_index_to_registration (mp->client_index);
1972  if (!reg)
1973  return;
1974 
1975  if (mp->acl_index == ~0)
1976  {
1977  /* *INDENT-OFF* */
1978  /* Just dump all ACLs */
1979  pool_foreach (acl, am->acls)
1980  {
1981  send_acl_details(am, reg, acl, mp->context);
1982  }
1983  /* *INDENT-ON* */
1984  }
1985  else
1986  {
1987  acl_index = ntohl (mp->acl_index);
1988  if (!pool_is_free_index (am->acls, acl_index))
1989  {
1990  acl = pool_elt_at_index (am->acls, acl_index);
1991  send_acl_details (am, reg, acl, mp->context);
1992  }
1993  }
1994 
1995  if (rv == -1)
1996  {
1997  /* FIXME API: should we signal an error here at all ? */
1998  return;
1999  }
2000 }
2001 
2002 static void
2003 send_acl_interface_list_details (acl_main_t * am,
2004  vl_api_registration_t * reg,
2005  u32 sw_if_index, u32 context)
2006 {
2007  vl_api_acl_interface_list_details_t *mp;
2008  int msg_size;
2009  int n_input;
2010  int n_output;
2011  int count;
2012  int i = 0;
2013 
2014  vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
2015  vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
2016 
2017  n_input = vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]);
2018  n_output = vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]);
2019  count = n_input + n_output;
2020 
2021  msg_size = sizeof (*mp);
2022  msg_size += sizeof (mp->acls[0]) * count;
2023 
2024  mp = vl_msg_api_alloc (msg_size);
2025  clib_memset (mp, 0, msg_size);
2026  mp->_vl_msg_id =
2027  ntohs (VL_API_ACL_INTERFACE_LIST_DETAILS + am->msg_id_base);
2028 
2029  /* fill in the message */
2030  mp->context = context;
2031  mp->sw_if_index = htonl (sw_if_index);
2032  mp->count = count;
2033  mp->n_input = n_input;
2034  for (i = 0; i < n_input; i++)
2035  {
2036  mp->acls[i] = htonl (am->input_acl_vec_by_sw_if_index[sw_if_index][i]);
2037  }
2038  for (i = 0; i < n_output; i++)
2039  {
2040  mp->acls[n_input + i] =
2041  htonl (am->output_acl_vec_by_sw_if_index[sw_if_index][i]);
2042  }
2043  vl_api_send_msg (reg, (u8 *) mp);
2044 }
2045 
2046 static void
2047 vl_api_acl_interface_list_dump_t_handler (vl_api_acl_interface_list_dump_t *
2048  mp)
2049 {
2050  acl_main_t *am = &acl_main;
2051  vnet_sw_interface_t *swif;
2052  vnet_interface_main_t *im = &am->vnet_main->interface_main;
2053 
2054  u32 sw_if_index;
2055  vl_api_registration_t *reg;
2056 
2057  reg = vl_api_client_index_to_registration (mp->client_index);
2058  if (!reg)
2059  return;
2060 
2061  if (mp->sw_if_index == ~0)
2062  {
2063  /* *INDENT-OFF* */
2064  pool_foreach (swif, im->sw_interfaces)
2065  {
2066  send_acl_interface_list_details(am, reg, swif->sw_if_index, mp->context);
2067  }
2068  /* *INDENT-ON* */
2069  }
2070  else
2071  {
2072  sw_if_index = ntohl (mp->sw_if_index);
2073  if (!pool_is_free_index (im->sw_interfaces, sw_if_index))
2074  send_acl_interface_list_details (am, reg, sw_if_index, mp->context);
2075  }
2076 }
2077 
2078 /* MACIP ACL API handlers */
2079 
2080 static void
2081 vl_api_macip_acl_add_t_handler (vl_api_macip_acl_add_t * mp)
2082 {
2083  vl_api_macip_acl_add_reply_t *rmp;
2084  acl_main_t *am = &acl_main;
2085  int rv;
2086  u32 acl_list_index = ~0;
2087  u32 acl_count = ntohl (mp->count);
2088  u64 expected_len = sizeof (*mp) + acl_count * sizeof (mp->r[0]);
2089 
2090  if (verify_message_len (mp, expected_len, "macip_acl_add"))
2091  {
2092  rv = macip_acl_add_list (acl_count, mp->r, &acl_list_index, mp->tag);
2093  }
2094  else
2095  {
2096  rv = VNET_API_ERROR_INVALID_VALUE;
2097  }
2098 
2099  /* *INDENT-OFF* */
2100  REPLY_MACRO2(VL_API_MACIP_ACL_ADD_REPLY,
2101  ({
2102  rmp->acl_index = htonl(acl_list_index);
2103  }));
2104  /* *INDENT-ON* */
2105 }
2106 
2107 static void
2108 vl_api_macip_acl_add_replace_t_handler (vl_api_macip_acl_add_replace_t * mp)
2109 {
2110  vl_api_macip_acl_add_replace_reply_t *rmp;
2111  acl_main_t *am = &acl_main;
2112  int rv;
2113  u32 acl_list_index = ntohl (mp->acl_index);
2114  u32 acl_count = ntohl (mp->count);
2115  u64 expected_len = sizeof (*mp) + acl_count * sizeof (mp->r[0]);
2116 
2117  if (verify_message_len (mp, expected_len, "macip_acl_add_replace"))
2118  {
2119  rv = macip_acl_add_list (acl_count, mp->r, &acl_list_index, mp->tag);
2120  }
2121  else
2122  {
2123  rv = VNET_API_ERROR_INVALID_VALUE;
2124  }
2125 
2126  /* *INDENT-OFF* */
2127  REPLY_MACRO2(VL_API_MACIP_ACL_ADD_REPLACE_REPLY,
2128  ({
2129  rmp->acl_index = htonl(acl_list_index);
2130  }));
2131  /* *INDENT-ON* */
2132 }
2133 
2134 static void
2135 vl_api_macip_acl_del_t_handler (vl_api_macip_acl_del_t * mp)
2136 {
2137  acl_main_t *am = &acl_main;
2138  vl_api_macip_acl_del_reply_t *rmp;
2139  int rv;
2140 
2141  rv = macip_acl_del_list (ntohl (mp->acl_index));
2142 
2143  REPLY_MACRO (VL_API_MACIP_ACL_DEL_REPLY);
2144 }
2145 
2146 static void
2147  vl_api_macip_acl_interface_add_del_t_handler
2148  (vl_api_macip_acl_interface_add_del_t * mp)
2149 {
2150  acl_main_t *am = &acl_main;
2151  vl_api_macip_acl_interface_add_del_reply_t *rmp;
2152  int rv = -1;
2153  vnet_interface_main_t *im = &am->vnet_main->interface_main;
2154  u32 sw_if_index = ntohl (mp->sw_if_index);
2155 
2156  if (pool_is_free_index (im->sw_interfaces, sw_if_index))
2157  rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
2158  else
2159  rv =
2160  macip_acl_interface_add_del_acl (ntohl (mp->sw_if_index), mp->is_add,
2161  ntohl (mp->acl_index));
2162 
2163  REPLY_MACRO (VL_API_MACIP_ACL_INTERFACE_ADD_DEL_REPLY);
2164 }
2165 
2166 static void
2167 send_macip_acl_details (acl_main_t * am, vl_api_registration_t * reg,
2168  macip_acl_list_t * acl, u32 context)
2169 {
2170  vl_api_macip_acl_details_t *mp;
2171  vl_api_macip_acl_rule_t *rules;
2172  macip_acl_rule_t *r;
2173  int i;
2174  int msg_size = sizeof (*mp) + (acl ? sizeof (mp->r[0]) * acl->count : 0);
2175 
2176  mp = vl_msg_api_alloc (msg_size);
2177  clib_memset (mp, 0, msg_size);
2178  mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_DETAILS + am->msg_id_base);
2179 
2180  /* fill in the message */
2181  mp->context = context;
2182  if (acl)
2183  {
2184  snprintf ((char *) mp->tag, sizeof (mp->tag), "%s", acl->tag);
2185  mp->count = htonl (acl->count);
2186  mp->acl_index = htonl (acl - am->macip_acls);
2187  rules = mp->r;
2188  for (i = 0; i < acl->count; i++)
2189  {
2190  r = &acl->rules[i];
2191  rules[i].is_permit = r->is_permit;
2192  mac_address_encode ((mac_address_t *) & r->src_mac,
2193  rules[i].src_mac);
2194  mac_address_encode ((mac_address_t *) & r->src_mac_mask,
2195  rules[i].src_mac_mask);
2196  ip_address_encode (&r->src_ip_addr,
2197  r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
2198  &rules[i].src_prefix.address);
2199  rules[i].src_prefix.len = r->src_prefixlen;
2200  }
2201  }
2202  else
2203  {
2204  /* No martini, no party - no ACL applied to this interface. */
2205  mp->acl_index = ~0;
2206  mp->count = 0;
2207  }
2208 
2209  vl_api_send_msg (reg, (u8 *) mp);
2210 }
2211 
2212 
2213 static void
2214 vl_api_macip_acl_dump_t_handler (vl_api_macip_acl_dump_t * mp)
2215 {
2216  acl_main_t *am = &acl_main;
2217  macip_acl_list_t *acl;
2218 
2219  vl_api_registration_t *reg;
2220 
2221  reg = vl_api_client_index_to_registration (mp->client_index);
2222  if (!reg)
2223  return;
2224 
2225  if (mp->acl_index == ~0)
2226  {
2227  /* Just dump all ACLs for now, with sw_if_index = ~0 */
2228  /* *INDENT-OFF* */
2229  pool_foreach (acl, am->macip_acls)
2230  {
2231  send_macip_acl_details (am, reg, acl, mp->context);
2232  }
2233  /* *INDENT-ON* */
2234  }
2235  else
2236  {
2237  u32 acl_index = ntohl (mp->acl_index);
2238  if (!pool_is_free_index (am->macip_acls, acl_index))
2239  {
2240  acl = pool_elt_at_index (am->macip_acls, acl_index);
2241  send_macip_acl_details (am, reg, acl, mp->context);
2242  }
2243  }
2244 }
2245 
2246 static void
2247 vl_api_macip_acl_interface_get_t_handler (vl_api_macip_acl_interface_get_t *
2248  mp)
2249 {
2250  acl_main_t *am = &acl_main;
2251  vl_api_macip_acl_interface_get_reply_t *rmp;
2252  u32 count = vec_len (am->macip_acl_by_sw_if_index);
2253  int msg_size = sizeof (*rmp) + sizeof (rmp->acls[0]) * count;
2254  vl_api_registration_t *reg;
2255  int i;
2256 
2257  reg = vl_api_client_index_to_registration (mp->client_index);
2258  if (!reg)
2259  return;
2260 
2261  rmp = vl_msg_api_alloc (msg_size);
2262  clib_memset (rmp, 0, msg_size);
2263  rmp->_vl_msg_id =
2264  ntohs (VL_API_MACIP_ACL_INTERFACE_GET_REPLY + am->msg_id_base);
2265  rmp->context = mp->context;
2266  rmp->count = htonl (count);
2267  for (i = 0; i < count; i++)
2268  {
2269  rmp->acls[i] = htonl (am->macip_acl_by_sw_if_index[i]);
2270  }
2271 
2272  vl_api_send_msg (reg, (u8 *) rmp);
2273 }
2274 
2275 static void
2276 send_macip_acl_interface_list_details (acl_main_t * am,
2277  vl_api_registration_t * reg,
2278  u32 sw_if_index,
2279  u32 acl_index, u32 context)
2280 {
2281  vl_api_macip_acl_interface_list_details_t *rmp;
2282  /* at this time there is only ever 1 mac ip acl per interface */
2283  int msg_size = sizeof (*rmp) + sizeof (rmp->acls[0]);
2284 
2285  rmp = vl_msg_api_alloc (msg_size);
2286  clib_memset (rmp, 0, msg_size);
2287  rmp->_vl_msg_id =
2288  ntohs (VL_API_MACIP_ACL_INTERFACE_LIST_DETAILS + am->msg_id_base);
2289 
2290  /* fill in the message */
2291  rmp->context = context;
2292  rmp->count = 1;
2293  rmp->sw_if_index = htonl (sw_if_index);
2294  rmp->acls[0] = htonl (acl_index);
2295 
2296  vl_api_send_msg (reg, (u8 *) rmp);
2297 }
2298 
2299 static void
2300  vl_api_macip_acl_interface_list_dump_t_handler
2301  (vl_api_macip_acl_interface_list_dump_t * mp)
2302 {
2303  vl_api_registration_t *reg;
2304  acl_main_t *am = &acl_main;
2305  u32 sw_if_index = ntohl (mp->sw_if_index);
2306 
2307  reg = vl_api_client_index_to_registration (mp->client_index);
2308  if (!reg)
2309  return;
2310 
2311  if (sw_if_index == ~0)
2312  {
2313  vec_foreach_index (sw_if_index, am->macip_acl_by_sw_if_index)
2314  {
2315  if (~0 != am->macip_acl_by_sw_if_index[sw_if_index])
2316  {
2317  send_macip_acl_interface_list_details (am, reg, sw_if_index,
2318  am->
2319  macip_acl_by_sw_if_index
2320  [sw_if_index],
2321  mp->context);
2322  }
2323  }
2324  }
2325  else
2326  {
2327  if (vec_len (am->macip_acl_by_sw_if_index) > sw_if_index)
2328  {
2329  send_macip_acl_interface_list_details (am, reg, sw_if_index,
2330  am->macip_acl_by_sw_if_index
2331  [sw_if_index], mp->context);
2332  }
2333  }
2334 }
2335 
2336 static void
2337  vl_api_acl_interface_set_etype_whitelist_t_handler
2338  (vl_api_acl_interface_set_etype_whitelist_t * mp)
2339 {
2340  acl_main_t *am = &acl_main;
2341  vl_api_acl_interface_set_etype_whitelist_reply_t *rmp;
2342  int rv = 0;
2343  int i;
2344  vnet_interface_main_t *im = &am->vnet_main->interface_main;
2345  u32 sw_if_index = ntohl (mp->sw_if_index);
2346  u16 *vec_in = 0, *vec_out = 0;
2347 
2348  if (pool_is_free_index (im->sw_interfaces, sw_if_index))
2349  rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
2350  else
2351  {
2352  for (i = 0; i < mp->count; i++)
2353  {
2354  if (i < mp->n_input)
2355  vec_add1 (vec_in, ntohs (mp->whitelist[i]));
2356  else
2357  vec_add1 (vec_out, ntohs (mp->whitelist[i]));
2358  }
2359  rv = acl_set_etype_whitelists (am, sw_if_index, vec_in, vec_out);
2360  }
2361 
2362  REPLY_MACRO (VL_API_ACL_INTERFACE_SET_ETYPE_WHITELIST_REPLY);
2363 }
2364 
2365 static void
2366 send_acl_interface_etype_whitelist_details (acl_main_t * am,
2367  vl_api_registration_t * reg,
2368  u32 sw_if_index, u32 context)
2369 {
2370  vl_api_acl_interface_etype_whitelist_details_t *mp;
2371  int msg_size;
2372  int n_input = 0;
2373  int n_output = 0;
2374  int count = 0;
2375  int i = 0;
2376 
2377  u16 *whitelist_in = 0;
2378  u16 *whitelist_out = 0;
2379 
2380  if (intf_has_etype_whitelist (am, sw_if_index, 0))
2381  whitelist_out =
2382  vec_elt (am->output_etype_whitelist_by_sw_if_index, sw_if_index);
2383 
2384  if (intf_has_etype_whitelist (am, sw_if_index, 1))
2385  whitelist_in =
2386  vec_elt (am->input_etype_whitelist_by_sw_if_index, sw_if_index);
2387 
2388  if ((0 == whitelist_in) && (0 == whitelist_out))
2389  return; /* nothing to do */
2390 
2391  n_input = vec_len (whitelist_in);
2392  n_output = vec_len (whitelist_out);
2393  count = n_input + n_output;
2394 
2395  msg_size = sizeof (*mp);
2396  msg_size += sizeof (mp->whitelist[0]) * count;
2397 
2398  mp = vl_msg_api_alloc (msg_size);
2399  clib_memset (mp, 0, msg_size);
2400  mp->_vl_msg_id =
2401  ntohs (VL_API_ACL_INTERFACE_ETYPE_WHITELIST_DETAILS + am->msg_id_base);
2402 
2403  /* fill in the message */
2404  mp->context = context;
2405  mp->sw_if_index = htonl (sw_if_index);
2406  mp->count = count;
2407  mp->n_input = n_input;
2408  for (i = 0; i < n_input; i++)
2409  {
2410  mp->whitelist[i] = htons (whitelist_in[i]);
2411  }
2412  for (i = 0; i < n_output; i++)
2413  {
2414  mp->whitelist[n_input + i] = htons (whitelist_out[i]);
2415  }
2416  vl_api_send_msg (reg, (u8 *) mp);
2417 }
2418 
2419 
2420 static void
2421  vl_api_acl_interface_etype_whitelist_dump_t_handler
2422  (vl_api_acl_interface_list_dump_t * mp)
2423 {
2424  acl_main_t *am = &acl_main;
2425  vnet_sw_interface_t *swif;
2426  vnet_interface_main_t *im = &am->vnet_main->interface_main;
2427 
2428  u32 sw_if_index;
2429  vl_api_registration_t *reg;
2430 
2431  reg = vl_api_client_index_to_registration (mp->client_index);
2432  if (!reg)
2433  return;
2434 
2435  if (mp->sw_if_index == ~0)
2436  {
2437  /* *INDENT-OFF* */
2438  pool_foreach (swif, im->sw_interfaces)
2439  {
2440  send_acl_interface_etype_whitelist_details(am, reg, swif->sw_if_index, mp->context);
2441  }
2442  /* *INDENT-ON* */
2443  }
2444  else
2445  {
2446  sw_if_index = ntohl (mp->sw_if_index);
2447  if (!pool_is_free_index (im->sw_interfaces, sw_if_index))
2448  send_acl_interface_etype_whitelist_details (am, reg, sw_if_index,
2449  mp->context);
2450  }
2451 }
2452 
2453 static void
2454 acl_set_timeout_sec (int timeout_type, u32 value)
2455 {
2456  acl_main_t *am = &acl_main;
2457  clib_time_t *ct = &am->vlib_main->clib_time;
2458 
2459  if (timeout_type < ACL_N_TIMEOUTS)
2460  {
2461  am->session_timeout_sec[timeout_type] = value;
2462  }
2463  else
2464  {
2465  clib_warning ("Unknown timeout type %d", timeout_type);
2466  return;
2467  }
2468  am->session_timeout[timeout_type] =
2469  (u64) (((f64) value) / ct->seconds_per_clock);
2470 }
2471 
2472 static void
2473 acl_set_session_max_entries (u32 value)
2474 {
2475  acl_main_t *am = &acl_main;
2476  am->fa_conn_table_max_entries = value;
2477 }
2478 
2479 static int
2480 acl_set_skip_ipv6_eh (u32 eh, u32 value)
2481 {
2482  acl_main_t *am = &acl_main;
2483 
2484  if ((eh < 256) && (value < 2))
2485  {
2486  am->fa_ipv6_known_eh_bitmap =
2487  clib_bitmap_set (am->fa_ipv6_known_eh_bitmap, eh, value);
2488  return 1;
2489  }
2490  else
2491  return 0;
2492 }
2493 
2494 
2495 static clib_error_t *
2496 acl_sw_interface_add_del (vnet_main_t * vnm, u32 sw_if_index, u32 is_add)
2497 {
2498  acl_main_t *am = &acl_main;
2499  if (0 == is_add)
2500  {
2501  int may_clear_sessions = 1;
2502  vlib_process_signal_event (am->vlib_main, am->fa_cleaner_node_index,
2503  ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX,
2504  sw_if_index);
2505  /* also unapply any ACLs in case the users did not do so. */
2506  macip_acl_interface_del_acl (am, sw_if_index);
2507  acl_interface_reset_inout_acls (sw_if_index, 0, &may_clear_sessions);
2508  acl_interface_reset_inout_acls (sw_if_index, 1, &may_clear_sessions);
2509  }
2510  return 0;
2511 }
2512 
2513 VNET_SW_INTERFACE_ADD_DEL_FUNCTION (acl_sw_interface_add_del);
2514 
2515 
2516 
2517 static clib_error_t *
2518 acl_set_aclplugin_fn (vlib_main_t * vm,
2519  unformat_input_t * input, vlib_cli_command_t * cmd)
2520 {
2521  clib_error_t *error = 0;
2522  u32 timeout = 0;
2523  u32 val = 0;
2524  u32 eh_val = 0;
2525  uword memory_size = 0;
2526  acl_main_t *am = &acl_main;
2527 
2528  if (unformat (input, "skip-ipv6-extension-header %u %u", &eh_val, &val))
2529  {
2530  if (!acl_set_skip_ipv6_eh (eh_val, val))
2531  {
2532  error = clib_error_return (0, "expecting eh=0..255, value=0..1");
2533  }
2534  goto done;
2535  }
2536  if (unformat (input, "use-hash-acl-matching %u", &val))
2537  {
2538  am->use_hash_acl_matching = (val != 0);
2539  goto done;
2540  }
2541  if (unformat (input, "l4-match-nonfirst-fragment %u", &val))
2542  {
2543  am->l4_match_nonfirst_fragment = (val != 0);
2544  goto done;
2545  }
2546  if (unformat (input, "reclassify-sessions %u", &val))
2547  {
2548  am->reclassify_sessions = (val != 0);
2549  goto done;
2550  }
2551  if (unformat (input, "event-trace"))
2552  {
2553  if (!unformat (input, "%u", &val))
2554  {
2555  error = clib_error_return (0,
2556  "expecting trace level, got `%U`",
2557  format_unformat_error, input);
2558  goto done;
2559  }
2560  else
2561  {
2562  am->trace_acl = val;
2563  goto done;
2564  }
2565  }
2566  if (unformat (input, "heap"))
2567  {
2568  if (unformat (input, "main"))
2569  {
2570  if (unformat (input, "validate %u", &val))
2571  clib_warning ("ACL local heap is deprecated");
2572  else if (unformat (input, "trace %u", &val))
2573  clib_warning ("ACL local heap is deprecated");
2574  goto done;
2575  }
2576  else if (unformat (input, "hash"))
2577  {
2578  if (unformat (input, "validate %u", &val))
2579  clib_warning ("ACL local heap is deprecated");
2580  else if (unformat (input, "trace %u", &val))
2581  clib_warning ("ACL local heap is deprecated");
2582  goto done;
2583  }
2584  goto done;
2585  }
2586  if (unformat (input, "session"))
2587  {
2588  if (unformat (input, "table"))
2589  {
2590  /* The commands here are for tuning/testing. No user-serviceable parts inside */
2591  if (unformat (input, "max-entries"))
2592  {
2593  if (!unformat (input, "%u", &val))
2594  {
2595  error = clib_error_return (0,
2596  "expecting maximum number of entries, got `%U`",
2597  format_unformat_error, input);
2598  goto done;
2599  }
2600  else
2601  {
2602  acl_set_session_max_entries (val);
2603  goto done;
2604  }
2605  }
2606  if (unformat (input, "hash-table-buckets"))
2607  {
2608  if (!unformat (input, "%u", &val))
2609  {
2610  error = clib_error_return (0,
2611  "expecting maximum number of hash table buckets, got `%U`",
2612  format_unformat_error, input);
2613  goto done;
2614  }
2615  else
2616  {
2617  am->fa_conn_table_hash_num_buckets = val;
2618  goto done;
2619  }
2620  }
2621  if (unformat (input, "hash-table-memory"))
2622  {
2623  if (!unformat (input, "%U", unformat_memory_size, &memory_size))
2624  {
2625  error = clib_error_return (0,
2626  "expecting maximum amount of hash table memory, got `%U`",
2627  format_unformat_error, input);
2628  goto done;
2629  }
2630  else
2631  {
2632  am->fa_conn_table_hash_memory_size = memory_size;
2633  goto done;
2634  }
2635  }
2636  if (unformat (input, "event-trace"))
2637  {
2638  if (!unformat (input, "%u", &val))
2639  {
2640  error = clib_error_return (0,
2641  "expecting trace level, got `%U`",
2642  format_unformat_error, input);
2643  goto done;
2644  }
2645  else
2646  {
2647  am->trace_sessions = val;
2648  goto done;
2649  }
2650  }
2651  goto done;
2652  }
2653  if (unformat (input, "timeout"))
2654  {
2655  if (unformat (input, "udp"))
2656  {
2657  if (unformat (input, "idle"))
2658  {
2659  if (!unformat (input, "%u", &timeout))
2660  {
2661  error = clib_error_return (0,
2662  "expecting timeout value in seconds, got `%U`",
2663  format_unformat_error,
2664  input);
2665  goto done;
2666  }
2667  else
2668  {
2669  acl_set_timeout_sec (ACL_TIMEOUT_UDP_IDLE, timeout);
2670  goto done;
2671  }
2672  }
2673  }
2674  if (unformat (input, "tcp"))
2675  {
2676  if (unformat (input, "idle"))
2677  {
2678  if (!unformat (input, "%u", &timeout))
2679  {
2680  error = clib_error_return (0,
2681  "expecting timeout value in seconds, got `%U`",
2682  format_unformat_error,
2683  input);
2684  goto done;
2685  }
2686  else
2687  {
2688  acl_set_timeout_sec (ACL_TIMEOUT_TCP_IDLE, timeout);
2689  goto done;
2690  }
2691  }
2692  if (unformat (input, "transient"))
2693  {
2694  if (!unformat (input, "%u", &timeout))
2695  {
2696  error = clib_error_return (0,
2697  "expecting timeout value in seconds, got `%U`",
2698  format_unformat_error,
2699  input);
2700  goto done;
2701  }
2702  else
2703  {
2704  acl_set_timeout_sec (ACL_TIMEOUT_TCP_TRANSIENT,
2705  timeout);
2706  goto done;
2707  }
2708  }
2709  }
2710  goto done;
2711  }
2712  }
2713 done:
2714  return error;
2715 }
2716 
2717 static u8 *
2718 my_format_mac_address (u8 * s, va_list * args)
2719 {
2720  u8 *a = va_arg (*args, u8 *);
2721  return format (s, "%02x:%02x:%02x:%02x:%02x:%02x",
2722  a[0], a[1], a[2], a[3], a[4], a[5]);
2723 }
2724 
2725 static inline u8 *
2726 my_macip_acl_rule_t_pretty_format (u8 * out, va_list * args)
2727 {
2728  macip_acl_rule_t *a = va_arg (*args, macip_acl_rule_t *);
2729 
2730  out = format (out, "%s action %d ip %U/%d mac %U mask %U",
2731  a->is_ipv6 ? "ipv6" : "ipv4", a->is_permit,
2732  format_ip46_address, &a->src_ip_addr,
2733  a->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
2734  a->src_prefixlen,
2735  my_format_mac_address, a->src_mac,
2736  my_format_mac_address, a->src_mac_mask);
2737  return (out);
2738 }
2739 
2740 static void
2741 macip_acl_print (acl_main_t * am, u32 macip_acl_index)
2742 {
2743  vlib_main_t *vm = am->vlib_main;
2744  int i;
2745 
2746  /* Don't try to print someone else's memory */
2747  if (macip_acl_index >= vec_len (am->macip_acls))
2748  return;
2749 
2750  macip_acl_list_t *a = vec_elt_at_index (am->macip_acls, macip_acl_index);
2751  int free_pool_slot = pool_is_free_index (am->macip_acls, macip_acl_index);
2752 
2753  vlib_cli_output (vm,
2754  "MACIP acl_index: %d, count: %d (true len %d) tag {%s} is free pool slot: %d\n",
2755  macip_acl_index, a->count, vec_len (a->rules), a->tag,
2756  free_pool_slot);
2757  vlib_cli_output (vm,
2758  " ip4_table_index %d, ip6_table_index %d, l2_table_index %d\n",
2759  a->ip4_table_index, a->ip6_table_index, a->l2_table_index);
2760  vlib_cli_output (vm,
2761  " out_ip4_table_index %d, out_ip6_table_index %d, out_l2_table_index %d\n",
2762  a->out_ip4_table_index, a->out_ip6_table_index,
2763  a->out_l2_table_index);
2764  for (i = 0; i < vec_len (a->rules); i++)
2765  vlib_cli_output (vm, " rule %d: %U\n", i,
2766  my_macip_acl_rule_t_pretty_format,
2767  vec_elt_at_index (a->rules, i));
2768 
2769 }
2770 
2771 static clib_error_t *
2772 acl_set_aclplugin_interface_fn (vlib_main_t * vm,
2773  unformat_input_t * input,
2774  vlib_cli_command_t * cmd)
2775 {
2776  unformat_input_t _line_input, *line_input = &_line_input;
2777  u32 sw_if_index, is_add, is_input, acl_index;
2778 
2779  is_add = is_input = 1;
2780  acl_index = sw_if_index = ~0;
2781 
2782  if (!unformat_user (input, unformat_line_input, line_input))
2783  return 0;
2784 
2785  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2786  {
2787  if (unformat (line_input, "%U",
2788  unformat_vnet_sw_interface, vnet_get_main (),
2789  &sw_if_index))
2790  ;
2791  else if (unformat (line_input, "add"))
2792  is_add = 1;
2793  else if (unformat (line_input, "del"))
2794  is_add = 0;
2795  else if (unformat (line_input, "acl %d", &acl_index))
2796  ;
2797  else if (unformat (line_input, "input"))
2798  is_input = 1;
2799  else if (unformat (line_input, "output"))
2800  is_input = 0;
2801  else
2802  break;
2803  }
2804 
2805  if (~0 == sw_if_index)
2806  return (clib_error_return (0, "invalid interface"));
2807  if (~0 == acl_index)
2808  return (clib_error_return (0, "invalid acl"));
2809 
2810  acl_interface_add_del_inout_acl (sw_if_index, is_add, is_input, acl_index);
2811 
2812  unformat_free (line_input);
2813  return (NULL);
2814 }
2815 
2816 #define vec_validate_acl_rules(v, idx) \
2817  do { \
2818  if (vec_len(v) < idx+1) { \
2819  vec_validate(v, idx); \
2820  v[idx].is_permit = 0x1; \
2821  v[idx].srcport_or_icmptype_last = 0xffff; \
2822  v[idx].dstport_or_icmpcode_last = 0xffff; \
2823  } \
2824  } while (0)
2825 
2826 static clib_error_t *
2827 acl_set_aclplugin_acl_fn (vlib_main_t * vm,
2828  unformat_input_t * input, vlib_cli_command_t * cmd)
2829 {
2830  unformat_input_t _line_input, *line_input = &_line_input;
2831  vl_api_acl_rule_t *rules = 0;
2832  int rv;
2833  int rule_idx = 0;
2834  int n_rules_override = -1;
2835  u32 proto = 0;
2836  u32 port1 = 0;
2837  u32 port2 = 0;
2838  u32 action = 0;
2839  u32 tcpflags, tcpmask;
2840  u32 src_prefix_length = 0, dst_prefix_length = 0;
2841  ip46_address_t src, dst;
2842  u8 *tag = 0;
2843 
2844  if (!unformat_user (input, unformat_line_input, line_input))
2845  return 0;
2846 
2847  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2848  {
2849  if (unformat (line_input, "permit+reflect"))
2850  {
2851  vec_validate_acl_rules (rules, rule_idx);
2852  rules[rule_idx].is_permit = 2;
2853  }
2854  else if (unformat (line_input, "permit"))
2855  {
2856  vec_validate_acl_rules (rules, rule_idx);
2857  rules[rule_idx].is_permit = 1;
2858  }
2859  else if (unformat (line_input, "deny"))
2860  {
2861  vec_validate_acl_rules (rules, rule_idx);
2862  rules[rule_idx].is_permit = 0;
2863  }
2864  else if (unformat (line_input, "count %d", &n_rules_override))
2865  {
2866  /* we will use this later */
2867  }
2868  else if (unformat (line_input, "action %d", &action))
2869  {
2870  vec_validate_acl_rules (rules, rule_idx);
2871  rules[rule_idx].is_permit = action;
2872  }
2873  else if (unformat (line_input, "src %U/%d",
2874  unformat_ip46_address, &src, IP46_TYPE_ANY,
2875  &src_prefix_length))
2876  {
2877  vec_validate_acl_rules (rules, rule_idx);
2878  ip_address_encode (&src, IP46_TYPE_ANY,
2879  &rules[rule_idx].src_prefix.address);
2880  rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
2881  rules[rule_idx].src_prefix.len = src_prefix_length;
2882  }
2883  else if (unformat (line_input, "dst %U/%d",
2884  unformat_ip46_address, &dst, IP46_TYPE_ANY,
2885  &dst_prefix_length))
2886  {
2887  vec_validate_acl_rules (rules, rule_idx);
2888  ip_address_encode (&dst, IP46_TYPE_ANY,
2889  &rules[rule_idx].dst_prefix.address);
2890  rules[rule_idx].dst_prefix.address.af = ADDRESS_IP4;
2891  rules[rule_idx].dst_prefix.len = dst_prefix_length;
2892  }
2893  else if (unformat (line_input, "sport %d-%d", &port1, &port2))
2894  {
2895  vec_validate_acl_rules (rules, rule_idx);
2896  rules[rule_idx].srcport_or_icmptype_first = htons (port1);
2897  rules[rule_idx].srcport_or_icmptype_last = htons (port2);
2898  }
2899  else if (unformat (line_input, "sport %d", &port1))
2900  {
2901  vec_validate_acl_rules (rules, rule_idx);
2902  rules[rule_idx].srcport_or_icmptype_first = htons (port1);
2903  rules[rule_idx].srcport_or_icmptype_last = htons (port1);
2904  }
2905  else if (unformat (line_input, "dport %d-%d", &port1, &port2))
2906  {
2907  vec_validate_acl_rules (rules, rule_idx);
2908  rules[rule_idx].dstport_or_icmpcode_first = htons (port1);
2909  rules[rule_idx].dstport_or_icmpcode_last = htons (port2);
2910  }
2911  else if (unformat (line_input, "dport %d", &port1))
2912  {
2913  vec_validate_acl_rules (rules, rule_idx);
2914  rules[rule_idx].dstport_or_icmpcode_first = htons (port1);
2915  rules[rule_idx].dstport_or_icmpcode_last = htons (port1);
2916  }
2917  else if (unformat (line_input, "tcpflags %d %d", &tcpflags, &tcpmask))
2918  {
2919  vec_validate_acl_rules (rules, rule_idx);
2920  rules[rule_idx].tcp_flags_value = tcpflags;
2921  rules[rule_idx].tcp_flags_mask = tcpmask;
2922  }
2923  else
2924  if (unformat (line_input, "tcpflags %d mask %d", &tcpflags, &tcpmask))
2925  {
2926  vec_validate_acl_rules (rules, rule_idx);
2927  rules[rule_idx].tcp_flags_value = tcpflags;
2928  rules[rule_idx].tcp_flags_mask = tcpmask;
2929  }
2930  else if (unformat (line_input, "proto %d", &proto))
2931  {
2932  vec_validate_acl_rules (rules, rule_idx);
2933  rules[rule_idx].proto = proto;
2934  }
2935  else if (unformat (line_input, "tag %s", &tag))
2936  {
2937  }
2938  else if (unformat (line_input, ","))
2939  {
2940  rule_idx++;
2941  vec_validate_acl_rules (rules, rule_idx);
2942  }
2943  else
2944  break;
2945  }
2946 
2947  u32 acl_index = ~0;
2948  if (!tag)
2949  vec_add (tag, "cli", 4);
2950 
2951  rv = acl_add_list (vec_len (rules), rules, &acl_index, tag);
2952 
2953  vec_free (rules);
2954  vec_free (tag);
2955 
2956  if (rv)
2957  return (clib_error_return (0, "failed"));
2958 
2959  vlib_cli_output (vm, "ACL index:%d", acl_index);
2960 
2961  return (NULL);
2962 }
2963 
2964 static clib_error_t *
2965 acl_show_aclplugin_macip_acl_fn (vlib_main_t * vm,
2966  unformat_input_t *
2967  input, vlib_cli_command_t * cmd)
2968 {
2969  clib_error_t *error = 0;
2970  acl_main_t *am = &acl_main;
2971  int i;
2972  u32 acl_index = ~0;
2973 
2974  (void) unformat (input, "index %u", &acl_index);
2975 
2976  for (i = 0; i < vec_len (am->macip_acls); i++)
2977  {
2978  /* Don't attempt to show the ACLs that do not exist */
2979  if (pool_is_free_index (am->macip_acls, i))
2980  continue;
2981 
2982  if ((acl_index != ~0) && (acl_index != i))
2983  {
2984  continue;
2985  }
2986 
2987  macip_acl_print (am, i);
2988  if (i < vec_len (am->sw_if_index_vec_by_macip_acl))
2989  {
2990  vlib_cli_output (vm, " applied on sw_if_index(s): %U\n",
2991  format_vec32,
2992  vec_elt (am->sw_if_index_vec_by_macip_acl, i),
2993  "%d");
2994  }
2995  }
2996 
2997  return error;
2998 }
2999 
3000 static clib_error_t *
3001 acl_show_aclplugin_macip_interface_fn (vlib_main_t * vm,
3002  unformat_input_t *
3003  input, vlib_cli_command_t * cmd)
3004 {
3005  clib_error_t *error = 0;
3006  acl_main_t *am = &acl_main;
3007  int i;
3008  for (i = 0; i < vec_len (am->macip_acl_by_sw_if_index); i++)
3009  {
3010  vlib_cli_output (vm, " sw_if_index %d: %d\n", i,
3011  vec_elt (am->macip_acl_by_sw_if_index, i));
3012  }
3013  return error;
3014 }
3015 
3016 static void
3017 acl_plugin_show_acl (acl_main_t * am, u32 acl_index)
3018 {
3019  u32 i;
3020  vlib_main_t *vm = am->vlib_main;
3021 
3022  for (i = 0; i < vec_len (am->acls); i++)
3023  {
3024  if (acl_is_not_defined (am, i))
3025  {
3026  /* don't attempt to show the ACLs that do not exist */
3027  continue;
3028  }
3029  if ((acl_index != ~0) && (acl_index != i))
3030  {
3031  continue;
3032  }
3033  acl_print_acl (vm, am, i);
3034 
3035  if (i < vec_len (am->input_sw_if_index_vec_by_acl))
3036  {
3037  vlib_cli_output (vm, " applied inbound on sw_if_index: %U\n",
3038  format_vec32, am->input_sw_if_index_vec_by_acl[i],
3039  "%d");
3040  }
3041  if (i < vec_len (am->output_sw_if_index_vec_by_acl))
3042  {
3043  vlib_cli_output (vm, " applied outbound on sw_if_index: %U\n",
3044  format_vec32, am->output_sw_if_index_vec_by_acl[i],
3045  "%d");
3046  }
3047  if (i < vec_len (am->lc_index_vec_by_acl))
3048  {
3049  vlib_cli_output (vm, " used in lookup context index: %U\n",
3050  format_vec32, am->lc_index_vec_by_acl[i], "%d");
3051  }
3052  }
3053 }
3054 
3055 static clib_error_t *
3056 acl_show_aclplugin_acl_fn (vlib_main_t * vm,
3057  unformat_input_t * input, vlib_cli_command_t * cmd)
3058 {
3059  clib_error_t *error = 0;
3060  acl_main_t *am = &acl_main;
3061 
3062  u32 acl_index = ~0;
3063  (void) unformat (input, "index %u", &acl_index);
3064 
3065  acl_plugin_show_acl (am, acl_index);
3066  return error;
3067 }
3068 
3069 static clib_error_t *
3070 acl_show_aclplugin_lookup_context_fn (vlib_main_t * vm,
3071  unformat_input_t * input,
3072  vlib_cli_command_t * cmd)
3073 {
3074  clib_error_t *error = 0;
3075 
3076  u32 lc_index = ~0;
3077  (void) unformat (input, "index %u", &lc_index);
3078 
3079  acl_plugin_show_lookup_context (lc_index);
3080  return error;
3081 }
3082 
3083 static clib_error_t *
3084 acl_show_aclplugin_lookup_user_fn (vlib_main_t * vm,
3085  unformat_input_t * input,
3086  vlib_cli_command_t * cmd)
3087 {
3088  clib_error_t *error = 0;
3089 
3090  u32 lc_index = ~0;
3091  (void) unformat (input, "index %u", &lc_index);
3092 
3093  acl_plugin_show_lookup_user (lc_index);
3094  return error;
3095 }
3096 
3097 
3098 static void
3099 acl_plugin_show_interface (acl_main_t * am, u32 sw_if_index, int show_acl,
3100  int detail)
3101 {
3102  vlib_main_t *vm = am->vlib_main;
3103  u32 swi;
3104  u32 *pj;
3105  for (swi = 0; (swi < vec_len (am->input_acl_vec_by_sw_if_index)) ||
3106  (swi < vec_len (am->output_acl_vec_by_sw_if_index)); swi++)
3107  {
3108  /* if we need a particular interface, skip all the others */
3109  if ((sw_if_index != ~0) && (sw_if_index != swi))
3110  continue;
3111 
3112  vlib_cli_output (vm, "sw_if_index %d:\n", swi);
3113  if (swi < vec_len (am->input_policy_epoch_by_sw_if_index))
3114  vlib_cli_output (vm, " input policy epoch: %x\n",
3115  vec_elt (am->input_policy_epoch_by_sw_if_index,
3116  swi));
3117  if (swi < vec_len (am->output_policy_epoch_by_sw_if_index))
3118  vlib_cli_output (vm, " output policy epoch: %x\n",
3119  vec_elt (am->output_policy_epoch_by_sw_if_index,
3120  swi));
3121 
3122 
3123  if (intf_has_etype_whitelist (am, swi, 1))
3124  {
3125  vlib_cli_output (vm, " input etype whitelist: %U", format_vec16,
3126  am->input_etype_whitelist_by_sw_if_index[swi],
3127  "%04x");
3128  }
3129  if (intf_has_etype_whitelist (am, swi, 0))
3130  {
3131  vlib_cli_output (vm, " output etype whitelist: %U", format_vec16,
3132  am->output_etype_whitelist_by_sw_if_index[swi],
3133  "%04x");
3134  }
3135 
3136  if ((swi < vec_len (am->input_acl_vec_by_sw_if_index)) &&
3137  (vec_len (am->input_acl_vec_by_sw_if_index[swi]) > 0))
3138  {
3139  vlib_cli_output (vm, " input acl(s): %U", format_vec32,
3140  am->input_acl_vec_by_sw_if_index[swi], "%d");
3141  if (show_acl)
3142  {
3143  vlib_cli_output (vm, "\n");
3144  vec_foreach (pj, am->input_acl_vec_by_sw_if_index[swi])
3145  {
3146  acl_print_acl (vm, am, *pj);
3147  }
3148  vlib_cli_output (vm, "\n");
3149  }
3150  }
3151 
3152  if ((swi < vec_len (am->output_acl_vec_by_sw_if_index)) &&
3153  (vec_len (am->output_acl_vec_by_sw_if_index[swi]) > 0))
3154  {
3155  vlib_cli_output (vm, " output acl(s): %U", format_vec32,
3156  am->output_acl_vec_by_sw_if_index[swi], "%d");
3157  if (show_acl)
3158  {
3159  vlib_cli_output (vm, "\n");
3160  vec_foreach (pj, am->output_acl_vec_by_sw_if_index[swi])
3161  {
3162  acl_print_acl (vm, am, *pj);
3163  }
3164  vlib_cli_output (vm, "\n");
3165  }
3166  }
3167  if (detail && (swi < vec_len (am->input_lc_index_by_sw_if_index)))
3168  {
3169  vlib_cli_output (vm, " input lookup context index: %d",
3170  am->input_lc_index_by_sw_if_index[swi]);
3171  }
3172  if (detail && (swi < vec_len (am->output_lc_index_by_sw_if_index)))
3173  {
3174  vlib_cli_output (vm, " output lookup context index: %d",
3175  am->output_lc_index_by_sw_if_index[swi]);
3176  }
3177  }
3178 
3179 }
3180 
3181 
3182 static clib_error_t *
3183 acl_show_aclplugin_decode_5tuple_fn (vlib_main_t * vm,
3184  unformat_input_t * input,
3185  vlib_cli_command_t * cmd)
3186 {
3187  clib_error_t *error = 0;
3188  u64 five_tuple[6] = { 0, 0, 0, 0, 0, 0 };
3189 
3190  if (unformat
3191  (input, "%llx %llx %llx %llx %llx %llx", &five_tuple[0], &five_tuple[1],
3192  &five_tuple[2], &five_tuple[3], &five_tuple[4], &five_tuple[5]))
3193  vlib_cli_output (vm, "5-tuple structure decode: %U\n\n",
3194  format_acl_plugin_5tuple, five_tuple);
3195  else
3196  error = clib_error_return (0, "expecting 6 hex integers");
3197  return error;
3198 }
3199 
3200 
3201 static clib_error_t *
3202 acl_show_aclplugin_interface_fn (vlib_main_t * vm,
3203  unformat_input_t *
3204  input, vlib_cli_command_t * cmd)
3205 {
3206  clib_error_t *error = 0;
3207  acl_main_t *am = &acl_main;
3208 
3209  u32 sw_if_index = ~0;
3210  (void) unformat (input, "sw_if_index %u", &sw_if_index);
3211  int show_acl = unformat (input, "acl");
3212  int detail = unformat (input, "detail");
3213 
3214  acl_plugin_show_interface (am, sw_if_index, show_acl, detail);
3215  return error;
3216 }
3217 
3218 static clib_error_t *
3219 acl_show_aclplugin_memory_fn (vlib_main_t * vm,
3220  unformat_input_t * input,
3221  vlib_cli_command_t * cmd)
3222 {
3223  clib_error_t *error = 0;
3224  vlib_cli_output (vm, "ACL memory is now part of the main heap");
3225  return error;
3226 }
3227 
3228 static void
3229 acl_plugin_show_sessions (acl_main_t * am,
3230  u32 show_session_thread_id,
3231  u32 show_session_session_index)
3232 {
3233  vlib_main_t *vm = am->vlib_main;
3234  u16 wk;
3235  vnet_interface_main_t *im = &am->vnet_main->interface_main;
3236  vnet_sw_interface_t *swif;
3237  u64 now = clib_cpu_time_now ();
3238  u64 clocks_per_second = am->vlib_main->clib_time.clocks_per_second;
3239 
3240  {
3241  u64 n_adds = am->fa_session_total_adds;
3242  u64 n_dels = am->fa_session_total_dels;
3243  u64 n_deact = am->fa_session_total_deactivations;
3244  vlib_cli_output (vm, "Sessions total: add %lu - del %lu = %lu", n_adds,
3245  n_dels, n_adds - n_dels);
3246  vlib_cli_output (vm, "Sessions active: add %lu - deact %lu = %lu", n_adds,
3247  n_deact, n_adds - n_deact);
3248  vlib_cli_output (vm, "Sessions being purged: deact %lu - del %lu = %lu",
3249  n_deact, n_dels, n_deact - n_dels);
3250  }
3251  vlib_cli_output (vm, "now: %lu clocks per second: %lu", now,
3252  clocks_per_second);
3253  vlib_cli_output (vm, "\n\nPer-thread data:");
3254  for (wk = 0; wk < vec_len (am->per_worker_data); wk++)
3255  {
3256  acl_fa_per_worker_data_t *pw = &am->per_worker_data[wk];
3257  vlib_cli_output (vm, "Thread #%d:", wk);
3258  if (show_session_thread_id == wk
3259  && show_session_session_index < pool_len (pw->fa_sessions_pool))
3260  {
3261  vlib_cli_output (vm, " session index %u:",
3262  show_session_session_index);
3263  fa_session_t *sess =
3264  pw->fa_sessions_pool + show_session_session_index;
3265  u64 *m = (u64 *) & sess->info;
3266  vlib_cli_output (vm,
3267  " info: %016llx %016llx %016llx %016llx %016llx %016llx",
3268  m[0], m[1], m[2], m[3], m[4], m[5]);
3269  vlib_cli_output (vm, " sw_if_index: %u", sess->sw_if_index);
3270  vlib_cli_output (vm, " tcp_flags_seen: %x",
3271  sess->tcp_flags_seen.as_u16);
3272  vlib_cli_output (vm, " last active time: %lu",
3273  sess->last_active_time);
3274  vlib_cli_output (vm, " thread index: %u", sess->thread_index);
3275  vlib_cli_output (vm, " link enqueue time: %lu",
3276  sess->link_enqueue_time);
3277  vlib_cli_output (vm, " link next index: %u",
3278  sess->link_next_idx);
3279  vlib_cli_output (vm, " link prev index: %u",
3280  sess->link_prev_idx);
3281  vlib_cli_output (vm, " link list id: %u", sess->link_list_id);
3282  }
3283  vlib_cli_output (vm, " connection add/del stats:", wk);
3284  /* *INDENT-OFF* */
3285  pool_foreach (swif, im->sw_interfaces)
3286  {
3287  u32 sw_if_index = swif->sw_if_index;
3288  u64 n_adds =
3289  (sw_if_index < vec_len (pw->fa_session_adds_by_sw_if_index) ?
3290  pw->fa_session_adds_by_sw_if_index[sw_if_index] :
3291  0);
3292  u64 n_dels =
3293  (sw_if_index < vec_len (pw->fa_session_dels_by_sw_if_index) ?
3294  pw->fa_session_dels_by_sw_if_index[sw_if_index] :
3295  0);
3296  u64 n_epoch_changes =
3297  (sw_if_index < vec_len (pw->fa_session_epoch_change_by_sw_if_index) ?
3298  pw->fa_session_epoch_change_by_sw_if_index[sw_if_index] :
3299  0);
3300  vlib_cli_output (vm,
3301  " sw_if_index %d: add %lu - del %lu = %lu; epoch chg: %lu",
3302  sw_if_index,
3303  n_adds,
3304  n_dels,
3305  n_adds -
3306  n_dels,
3307  n_epoch_changes);
3308  }
3309  /* *INDENT-ON* */
3310 
3311  vlib_cli_output (vm, " connection timeout type lists:", wk);
3312  u8 tt = 0;
3313  for (tt = 0; tt < ACL_N_TIMEOUTS; tt++)
3314  {
3315  u32 head_session_index = pw->fa_conn_list_head[tt];
3316  vlib_cli_output (vm, " fa_conn_list_head[%d]: %d", tt,
3317  head_session_index);
3318  if (~0 != head_session_index)
3319  {
3320  fa_session_t *sess = pw->fa_sessions_pool + head_session_index;
3321  vlib_cli_output (vm, " last active time: %lu",
3322  sess->last_active_time);
3323  vlib_cli_output (vm, " link enqueue time: %lu",
3324  sess->link_enqueue_time);
3325  }
3326  }
3327 
3328  vlib_cli_output (vm, " Next expiry time: %lu", pw->next_expiry_time);
3329  vlib_cli_output (vm, " Requeue until time: %lu",
3330  pw->requeue_until_time);
3331  vlib_cli_output (vm, " Current time wait interval: %lu",
3332  pw->current_time_wait_interval);
3333  vlib_cli_output (vm, " Count of deleted sessions: %lu",
3334  pw->cnt_deleted_sessions);
3335  vlib_cli_output (vm, " Delete already deleted: %lu",
3336  pw->cnt_already_deleted_sessions);
3337  vlib_cli_output (vm, " Session timers restarted: %lu",
3338  pw->cnt_session_timer_restarted);
3339  vlib_cli_output (vm, " Swipe until this time: %lu",
3340  pw->swipe_end_time);
3341  vlib_cli_output (vm, " sw_if_index serviced bitmap: %U",
3342  format_bitmap_hex, pw->serviced_sw_if_index_bitmap);
3343  vlib_cli_output (vm, " pending clear intfc bitmap : %U",
3344  format_bitmap_hex,
3345  pw->pending_clear_sw_if_index_bitmap);
3346  vlib_cli_output (vm, " clear in progress: %u", pw->clear_in_process);
3347  vlib_cli_output (vm, " interrupt is pending: %d",
3348  pw->interrupt_is_pending);
3349  vlib_cli_output (vm, " interrupt is needed: %d",
3350  pw->interrupt_is_needed);
3351  vlib_cli_output (vm, " interrupt is unwanted: %d",
3352  pw->interrupt_is_unwanted);
3353  vlib_cli_output (vm, " interrupt generation: %d",
3354  pw->interrupt_generation);
3355  vlib_cli_output (vm, " received session change requests: %d",
3356  pw->rcvd_session_change_requests);
3357  vlib_cli_output (vm, " sent session change requests: %d",
3358  pw->sent_session_change_requests);
3359  }
3360  vlib_cli_output (vm, "\n\nConn cleaner thread counters:");
3361 #define _(cnt, desc) vlib_cli_output(vm, " %20lu: %s", am->cnt, desc);
3362  foreach_fa_cleaner_counter;
3363 #undef _
3364  vlib_cli_output (vm, "Interrupt generation: %d",
3365  am->fa_interrupt_generation);
3366  vlib_cli_output (vm,
3367  "Sessions per interval: min %lu max %lu increment: %f ms current: %f ms",
3368  am->fa_min_deleted_sessions_per_interval,
3369  am->fa_max_deleted_sessions_per_interval,
3370  am->fa_cleaner_wait_time_increment * 1000.0,
3371  ((f64) am->fa_current_cleaner_timer_wait_interval) *
3372  1000.0 / (f64) vm->clib_time.clocks_per_second);
3373  vlib_cli_output (vm, "Reclassify sessions: %d", am->reclassify_sessions);
3374 }
3375 
3376 static clib_error_t *
3377 acl_show_aclplugin_sessions_fn (vlib_main_t * vm,
3378  unformat_input_t * input,
3379  vlib_cli_command_t * cmd)
3380 {
3381  clib_error_t *error = 0;
3382  acl_main_t *am = &acl_main;
3383 
3384  u32 show_bihash_verbose = 0;
3385  u32 show_session_thread_id = ~0;
3386  u32 show_session_session_index = ~0;
3387  (void) unformat (input, "thread %u index %u", &show_session_thread_id,
3388  &show_session_session_index);
3389  (void) unformat (input, "verbose %u", &show_bihash_verbose);
3390 
3391  acl_plugin_show_sessions (am, show_session_thread_id,
3392  show_session_session_index);
3393  show_fa_sessions_hash (vm, show_bihash_verbose);
3394  return error;
3395 }
3396 
3397 static clib_error_t *
3398 acl_show_aclplugin_tables_fn (vlib_main_t * vm,
3399  unformat_input_t * input,
3400  vlib_cli_command_t * cmd)
3401 {
3402  clib_error_t *error = 0;
3403 
3404  u32 acl_index = ~0;
3405  u32 lc_index = ~0;
3406  int show_acl_hash_info = 0;
3407  int show_applied_info = 0;
3408  int show_mask_type = 0;
3409  int show_bihash = 0;
3410  u32 show_bihash_verbose = 0;
3411 
3412  if (unformat (input, "acl"))
3413  {
3414  show_acl_hash_info = 1;
3415  /* mask-type is handy to see as well right there */
3416  show_mask_type = 1;
3417  unformat (input, "index %u", &acl_index);
3418  }
3419  else if (unformat (input, "applied"))
3420  {
3421  show_applied_info = 1;
3422  unformat (input, "lc_index %u", &lc_index);
3423  }
3424  else if (unformat (input, "mask"))
3425  {
3426  show_mask_type = 1;
3427  }
3428  else if (unformat (input, "hash"))
3429  {
3430  show_bihash = 1;
3431  unformat (input, "verbose %u", &show_bihash_verbose);
3432  }
3433 
3434  if (!
3435  (show_mask_type || show_acl_hash_info || show_applied_info
3436  || show_bihash))
3437  {
3438  /* if no qualifiers specified, show all */
3439  show_mask_type = 1;
3440  show_acl_hash_info = 1;
3441  show_applied_info = 1;
3442  show_bihash = 1;
3443  }
3444  vlib_cli_output (vm, "Stats counters enabled for interface ACLs: %d",
3445  acl_main.interface_acl_counters_enabled);
3446  if (show_mask_type)
3447  acl_plugin_show_tables_mask_type ();
3448  if (show_acl_hash_info)
3449  acl_plugin_show_tables_acl_hash_info (acl_index);
3450  if (show_applied_info)
3451  acl_plugin_show_tables_applied_info (lc_index);
3452  if (show_bihash)
3453  acl_plugin_show_tables_bihash (show_bihash_verbose);
3454 
3455  return error;
3456 }
3457 
3458 static clib_error_t *
3459 acl_clear_aclplugin_fn (vlib_main_t * vm,
3460  unformat_input_t * input, vlib_cli_command_t * cmd)
3461 {
3462  clib_error_t *error = 0;
3463  acl_main_t *am = &acl_main;
3464  vlib_process_signal_event (am->vlib_main, am->fa_cleaner_node_index,
3465  ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX, ~0);
3466  return error;
3467 }
3468 
3469  /* *INDENT-OFF* */
3470 VLIB_CLI_COMMAND (aclplugin_set_command, static) = {
3471  .path = "set acl-plugin",
3472  .short_help = "set acl-plugin session timeout {{udp idle}|tcp {idle|transient}} <seconds>",
3473  .function = acl_set_aclplugin_fn,
3474 };
3475 
3476 VLIB_CLI_COMMAND (aclplugin_show_acl_command, static) = {
3477  .path = "show acl-plugin acl",
3478  .short_help = "show acl-plugin acl [index N]",
3479  .function = acl_show_aclplugin_acl_fn,
3480 };
3481 
3482 VLIB_CLI_COMMAND (aclplugin_show_lookup_context_command, static) = {
3483  .path = "show acl-plugin lookup context",
3484  .short_help = "show acl-plugin lookup context [index N]",
3485  .function = acl_show_aclplugin_lookup_context_fn,
3486 };
3487 
3488 VLIB_CLI_COMMAND (aclplugin_show_lookup_user_command, static) = {
3489  .path = "show acl-plugin lookup user",
3490  .short_help = "show acl-plugin lookup user [index N]",
3491  .function = acl_show_aclplugin_lookup_user_fn,
3492 };
3493 
3494 VLIB_CLI_COMMAND (aclplugin_show_decode_5tuple_command, static) = {
3495  .path = "show acl-plugin decode 5tuple",
3496  .short_help = "show acl-plugin decode 5tuple XXXX XXXX XXXX XXXX XXXX XXXX",
3497  .function = acl_show_aclplugin_decode_5tuple_fn,
3498 };
3499 
3500 VLIB_CLI_COMMAND (aclplugin_show_interface_command, static) = {
3501  .path = "show acl-plugin interface",
3502  .short_help = "show acl-plugin interface [sw_if_index N] [acl]",
3503  .function = acl_show_aclplugin_interface_fn,
3504 };
3505 
3506 VLIB_CLI_COMMAND (aclplugin_show_memory_command, static) = {
3507  .path = "show acl-plugin memory",
3508  .short_help = "show acl-plugin memory",
3509  .function = acl_show_aclplugin_memory_fn,
3510 };
3511 
3512 VLIB_CLI_COMMAND (aclplugin_show_sessions_command, static) = {
3513  .path = "show acl-plugin sessions",
3514  .short_help = "show acl-plugin sessions",
3515  .function = acl_show_aclplugin_sessions_fn,
3516 };
3517 
3518 VLIB_CLI_COMMAND (aclplugin_show_tables_command, static) = {
3519  .path = "show acl-plugin tables",
3520  .short_help = "show acl-plugin tables [ acl [index N] | applied [ lc_index N ] | mask | hash [verbose N] ]",
3521  .function = acl_show_aclplugin_tables_fn,
3522 };
3523 
3524 VLIB_CLI_COMMAND (aclplugin_show_macip_acl_command, static) = {
3525  .path = "show acl-plugin macip acl",
3526  .short_help = "show acl-plugin macip acl [index N]",
3527  .function = acl_show_aclplugin_macip_acl_fn,
3528 };
3529 
3530 VLIB_CLI_COMMAND (aclplugin_show_macip_interface_command, static) = {
3531  .path = "show acl-plugin macip interface",
3532  .short_help = "show acl-plugin macip interface",
3533  .function = acl_show_aclplugin_macip_interface_fn,
3534 };
3535 
3536 VLIB_CLI_COMMAND (aclplugin_clear_command, static) = {
3537  .path = "clear acl-plugin sessions",
3538  .short_help = "clear acl-plugin sessions",
3539  .function = acl_clear_aclplugin_fn,
3540 };
3541 
3542 /*?
3543  * [un]Apply an ACL to an interface.
3544  * The ACL is applied in a given direction, either input or output.
3545  * The ACL being applied must already exist.
3546  *
3547  * @cliexpar
3548  * <b><em> set acl-plugin interface <input|output> acl <index> [del] </b></em>
3549  * @cliexend
3550  ?*/
3551 VLIB_CLI_COMMAND (aclplugin_set_interface_command, static) = {
3552  .path = "set acl-plugin interface",
3553  .short_help = "set acl-plugin interface <interface> <input|output> <acl INDEX> [del] ",
3554  .function = acl_set_aclplugin_interface_fn,
3555 };
3556 
3557 /*?
3558  * Create an Access Control List (ACL)
3559  * an ACL is composed of more than one Access control element (ACE). Multiple
3560  * ACEs can be specified with this command using a comma separated list.
3561  *
3562  * Each ACE describes a tuple of src+dst IP prefix, ip protocol, src+dst port ranges.
3563  * (the ACL plugin also support ICMP types/codes instead of UDP/TCP ports, but
3564  * this CLI does not).
3565  *
3566  * An ACL can optionally be assigned a 'tag' - which is an identifier understood
3567  * by the client. VPP does not examine it in any way.
3568  *
3569  * @cliexpar
3570  * <b><em> set acl-plugin acl <permit|deny> src <PREFIX> dst <PREFIX> proto <TCP|UDP> sport <X-Y> dport <X-Y> [tag FOO] </b></em>
3571  * @cliexend
3572  ?*/
3573 VLIB_CLI_COMMAND (aclplugin_set_acl_command, static) = {
3574  .path = "set acl-plugin acl",
3575  .short_help = "set acl-plugin acl <permit|deny> src <PREFIX> dst <PREFIX> proto X sport X-Y dport X-Y [tag FOO] {use comma separated list for multiple rules}",
3576  .function = acl_set_aclplugin_acl_fn,
3577 };
3578 /* *INDENT-ON* */
3579 
3580 static clib_error_t *
3581 acl_plugin_config (vlib_main_t * vm, unformat_input_t * input)
3582 {
3583  acl_main_t *am = &acl_main;
3584  u32 conn_table_hash_buckets;
3585  uword conn_table_hash_memory_size;
3586  u32 conn_table_max_entries;
3587  uword main_heap_size;
3588  uword hash_heap_size;
3589  u32 hash_lookup_hash_buckets;
3590  uword hash_lookup_hash_memory;
3591  u32 reclassify_sessions;
3592  u32 use_tuple_merge;
3593  u32 tuple_merge_split_threshold;
3594 
3595  while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
3596  {
3597  if (unformat
3598  (input, "connection hash buckets %d", &conn_table_hash_buckets))
3599  am->fa_conn_table_hash_num_buckets = conn_table_hash_buckets;
3600  else
3601  if (unformat
3602  (input, "connection hash memory %U", unformat_memory_size,
3603  &conn_table_hash_memory_size))
3604  am->fa_conn_table_hash_memory_size = conn_table_hash_memory_size;
3605  else if (unformat (input, "connection count max %d",
3606  &conn_table_max_entries))
3607  am->fa_conn_table_max_entries = conn_table_max_entries;
3608  else
3609  if (unformat
3610  (input, "main heap size %U", unformat_memory_size,
3611  &main_heap_size))
3612  clib_warning
3613  ("WARNING: ACL heap is now part of the main heap. 'main heap size' is ineffective.");
3614  else
3615  if (unformat
3616  (input, "hash lookup heap size %U", unformat_memory_size,
3617  &hash_heap_size))
3618  clib_warning
3619  ("WARNING: ACL heap is now part of the main heap. 'hash lookup heap size' is ineffective.");
3620  else
3621  if (unformat
3622  (input, "hash lookup hash buckets %d", &hash_lookup_hash_buckets))
3623  am->hash_lookup_hash_buckets = hash_lookup_hash_buckets;
3624  else
3625  if (unformat
3626  (input, "hash lookup hash memory %U", unformat_memory_size,
3627  &hash_lookup_hash_memory))
3628  am->hash_lookup_hash_memory = hash_lookup_hash_memory;
3629  else if (unformat (input, "use tuple merge %d", &use_tuple_merge))
3630  am->use_tuple_merge = use_tuple_merge;
3631  else
3632  if (unformat
3633  (input, "tuple merge split threshold %d",
3634  &tuple_merge_split_threshold))
3635  am->tuple_merge_split_threshold = tuple_merge_split_threshold;
3636 
3637  else if (unformat (input, "reclassify sessions %d",
3638  &reclassify_sessions))
3639  am->reclassify_sessions = reclassify_sessions;
3640 
3641  else
3642  return clib_error_return (0, "unknown input '%U'",
3643  format_unformat_error, input);
3644  }
3645  return 0;
3646 }
3647 
3648 VLIB_CONFIG_FUNCTION (acl_plugin_config, "acl-plugin");
3649 
3650 /* Set up the API message handling tables */
3651 #include <vnet/format_fns.h>
3652 #include <acl/acl.api.c>
3653 
3654 static clib_error_t *
3655 acl_init (vlib_main_t * vm)
3656 {
3657  acl_main_t *am = &acl_main;
3658  clib_error_t *error = 0;
3659  clib_memset (am, 0, sizeof (*am));
3660  am->vlib_main = vm;
3661  am->vnet_main = vnet_get_main ();
3662  am->log_default = vlib_log_register_class ("acl_plugin", 0);
3663 
3664  /* Ask for a correctly-sized block of API message decode slots */
3665  am->msg_id_base = setup_message_id_table ();
3666 
3667  error = acl_plugin_exports_init (&acl_plugin);
3668 
3669  if (error)
3670  return error;
3671 
3672  am->hash_lookup_hash_buckets = ACL_PLUGIN_HASH_LOOKUP_HASH_BUCKETS;
3673  am->hash_lookup_hash_memory = ACL_PLUGIN_HASH_LOOKUP_HASH_MEMORY;
3674 
3675  am->session_timeout_sec[ACL_TIMEOUT_TCP_TRANSIENT] =
3676  TCP_SESSION_TRANSIENT_TIMEOUT_SEC;
3677  am->session_timeout_sec[ACL_TIMEOUT_TCP_IDLE] =
3678  TCP_SESSION_IDLE_TIMEOUT_SEC;
3679  am->session_timeout_sec[ACL_TIMEOUT_UDP_IDLE] =
3680  UDP_SESSION_IDLE_TIMEOUT_SEC;
3681 
3682  am->fa_conn_table_hash_num_buckets =
3683  ACL_FA_CONN_TABLE_DEFAULT_HASH_NUM_BUCKETS;
3684  am->fa_conn_table_hash_memory_size =
3685  ACL_FA_CONN_TABLE_DEFAULT_HASH_MEMORY_SIZE;
3686  am->fa_conn_table_max_entries = ACL_FA_CONN_TABLE_DEFAULT_MAX_ENTRIES;
3687  am->reclassify_sessions = 0;
3688  vlib_thread_main_t *tm = vlib_get_thread_main ();
3689 
3690  am->fa_min_deleted_sessions_per_interval =
3691  ACL_FA_DEFAULT_MIN_DELETED_SESSIONS_PER_INTERVAL;
3692  am->fa_max_deleted_sessions_per_interval =
3693  ACL_FA_DEFAULT_MAX_DELETED_SESSIONS_PER_INTERVAL;
3694  am->fa_cleaner_wait_time_increment =
3695  ACL_FA_DEFAULT_CLEANER_WAIT_TIME_INCREMENT;
3696 
3697  vec_validate (am->per_worker_data, tm->n_vlib_mains - 1);
3698  {
3699  u16 wk;
3700  for (wk = 0; wk < vec_len (am->per_worker_data); wk++)
3701  {
3702  acl_fa_per_worker_data_t *pw = &am->per_worker_data[wk];
3703  if (tm->n_vlib_mains > 1)
3704  {
3705  clib_spinlock_init (&pw->pending_session_change_request_lock);
3706  }
3707  vec_validate (pw->expired,
3708  ACL_N_TIMEOUTS *
3709  am->fa_max_deleted_sessions_per_interval);
3710  _vec_len (pw->expired) = 0;
3711  vec_validate_init_empty (pw->fa_conn_list_head, ACL_N_TIMEOUTS - 1,
3712  FA_SESSION_BOGUS_INDEX);
3713  vec_validate_init_empty (pw->fa_conn_list_tail, ACL_N_TIMEOUTS - 1,
3714  FA_SESSION_BOGUS_INDEX);
3715  vec_validate_init_empty (pw->fa_conn_list_head_expiry_time,
3716  ACL_N_TIMEOUTS - 1, ~0ULL);
3717  }
3718  }
3719 
3720  am->fa_cleaner_cnt_delete_by_sw_index = 0;
3721  am->fa_cleaner_cnt_delete_by_sw_index_ok = 0;
3722  am->fa_cleaner_cnt_unknown_event = 0;
3723  am->fa_cleaner_cnt_timer_restarted = 0;
3724  am->fa_cleaner_cnt_wait_with_timeout = 0;
3725 
3726 
3727 #define _(N, v, s) am->fa_ipv6_known_eh_bitmap = clib_bitmap_set(am->fa_ipv6_known_eh_bitmap, v, 1);
3728  foreach_acl_eh
3729 #undef _
3730  am->l4_match_nonfirst_fragment = 1;
3731 
3732  /* use the new fancy hash-based matching */
3733  am->use_hash_acl_matching = 1;
3734  /* use tuplemerge by default */
3735  am->use_tuple_merge = 1;
3736  /* Set the default threshold */
3737  am->tuple_merge_split_threshold = TM_SPLIT_THRESHOLD;
3738 
3739  am->interface_acl_user_id =
3740  acl_plugin.register_user_module ("interface ACL", "sw_if_index",
3741  "is_input");
3742 
3743  am->acl_counter_lock = clib_mem_alloc_aligned (CLIB_CACHE_LINE_BYTES,
3744  CLIB_CACHE_LINE_BYTES);
3745  am->acl_counter_lock[0] = 0; /* should be no need */
3746 
3747  return error;
3748 }
3749 
3750 VLIB_INIT_FUNCTION (acl_init);
3751 
3752 
3753 /*
3754  * fd.io coding-style-patch-verification: ON
3755  *
3756  * Local Variables:
3757  * eval: (c-set-style "gnu")
3758  * End:
3759  */
vl_api_acl_stats_intf_counters_enable_t_handler
static void vl_api_acl_stats_intf_counters_enable_t_handler(vl_api_acl_stats_intf_counters_enable_t *mp)
Definition: acl.c:1833
vlib_log_register_class
vlib_log_class_t vlib_log_register_class(char *class, char *subclass)
Definition: log.c:339
acl_list_t::rules
acl_rule_t * rules
Definition: acl.h:83
vec_validate
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment) ...
Definition: vec.h:524
acl_main_t::input_policy_epoch_by_sw_if_index
u32 * input_policy_epoch_by_sw_if_index
Definition: acl.h:165
acl_api_invalid_prefix
static int acl_api_invalid_prefix(const vl_api_prefix_t *prefix)
Definition: acl.c:310
format_vec16
u8 * format_vec16(u8 *s, va_list *va)
Definition: acl.c:68
macip_acl_list_t::rules
macip_acl_rule_t * rules
Definition: acl.h:92
macip_acl_interface_add_acl
static int macip_acl_interface_add_acl(acl_main_t *am, u32 sw_if_index, u32 macip_acl_index)
Definition: acl.c:1678
macip_acl_rule_t::src_mac
u8 src_mac[6]
Definition: acl.h:69
acl_main_t::fa_cleaner_node_index
u32 fa_cleaner_node_index
Definition: acl.h:226
acl_main_t::session_timeout_sec
u32 session_timeout_sec[ACL_N_TIMEOUTS]
Definition: acl.h:228
acl_set_aclplugin_interface_fn
static clib_error_t * acl_set_aclplugin_interface_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: acl.c:2772
vl_api_acl_interface_add_del_t
Use acl_interface_set_acl_list instead Append/remove an ACL index to/from the list of ACLs checked fo...
Definition: acl.api:154
vec_foreach_index
#define vec_foreach_index(var, v)
Iterate over vector indices.
Definition: vec_bootstrap.h:220
macip_acl_interface_add_del_acl
static int macip_acl_interface_add_del_acl(u32 sw_if_index, u8 is_add, u32 acl_list_index)
Definition: acl.c:1742
vl_api_acl_interface_add_del_t::acl_index
u32 acl_index
Definition: acl.api:165
vl_api_acl_plugin_get_conn_table_max_entries_t_handler
static void vl_api_acl_plugin_get_conn_table_max_entries_t_handler(vl_api_acl_plugin_get_conn_table_max_entries_t *mp)
Definition: acl.c:202
acl_clear_aclplugin_fn
static clib_error_t * acl_clear_aclplugin_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: acl.c:3459
acl_set_skip_ipv6_eh
static int acl_set_skip_ipv6_eh(u32 eh, u32 value)
Definition: acl.c:2480
dst_prefix
vl_api_prefix_t dst_prefix
Definition: acl_types.api:46
acl_show_aclplugin_lookup_user_fn
static clib_error_t * acl_show_aclplugin_lookup_user_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: acl.c:3084
UDP_SESSION_IDLE_TIMEOUT_SEC
#define UDP_SESSION_IDLE_TIMEOUT_SEC
Definition: acl.h:40
vl_api_acl_interface_etype_whitelist_details_t::count
u8 count
Definition: acl.api:482
vnet_interface_main_t
Definition: interface.h:989
acl_init
static clib_error_t * acl_init(vlib_main_t *vm)
Definition: acl.c:3655
acl_index
u32 acl_index
Definition: abf.api:60
acl_rule_t::is_ipv6
u8 is_ipv6
Definition: types.h:24
public_inlines.h
FA_SESSION_BOGUS_INDEX
#define FA_SESSION_BOGUS_INDEX
Definition: fa_node.h:166
acl_fa_per_worker_data_t::next_expiry_time
u64 next_expiry_time
Definition: fa_node.h:190
IP46_TYPE_IP4
Definition: ip46_address.h:26
acl_fa_per_worker_data_t::pending_clear_sw_if_index_bitmap
uword * pending_clear_sw_if_index_bitmap
Definition: fa_node.h:206
acl_plugin_counter_lock
static void acl_plugin_counter_lock(acl_main_t *am)
Definition: acl.h:317
acl_plugin_show_tables_mask_type
void acl_plugin_show_tables_mask_type(void)
Definition: hash_lookup.c:1155
acl_main_t::combined_acl_counters
vlib_combined_counter_main_t * combined_acl_counters
Definition: acl.h:301
vlib_validate_combined_counter
void vlib_validate_combined_counter(vlib_combined_counter_main_t *cm, u32 index)
validate a combined counter
Definition: counter.c:119
vl_api_acl_plugin_get_version_t_handler
static void vl_api_acl_plugin_get_version_t_handler(vl_api_acl_plugin_get_version_t *mp)
Definition: acl.c:83
vl_api_macip_acl_del_t::acl_index
u32 acl_index
Definition: acl.api:330
a
a
Definition: bitmap.h:544
acl_main_t::fa_current_cleaner_timer_wait_interval
u64 fa_current_cleaner_timer_wait_interval
Definition: acl.h:268
vl_api_acl_interface_set_acl_list_t
Set the vector of input/output ACLs checked for an interface.
Definition: acl.api:178
format_acl_action
static u8 * format_acl_action(u8 *s, u8 action)
Definition: acl.c:138
vlib_combined_counter_main_t::stat_segment_name
char * stat_segment_name
Name in stat segment directory.
Definition: counter.h:207
vl_api_macip_acl_interface_list_dump_t::sw_if_index
vl_api_interface_index_t sw_if_index
Definition: acl.api:418
vl_api_acl_plugin_get_version_reply_t::context
u32 context
Definition: acl.api:46
vl_api_acl_interface_set_etype_whitelist_t
Set the ethertype whitelists on an interface.
Definition: acl.api:445
acl_main_t::input_acl_vec_by_sw_if_index
u32 ** input_acl_vec_by_sw_if_index
Definition: acl.h:150
acl_main_t::msg_id_base
u16 msg_id_base
Definition: acl.h:118
ntohs
#define ntohs(x)
Definition: af_xdp.bpf.c:29
acl_plugin_show_tables_applied_info
void acl_plugin_show_tables_applied_info(u32 lc_index)
Definition: hash_lookup.c:1233
vl_api_acl_interface_list_dump_t
Dump the list(s) of ACL applied to specific or all interfaces.
Definition: acl.api:231
r
vnet_hw_if_output_node_runtime_t * r
Definition: interface_output.c:1071
vl_api_macip_acl_add_reply_t::acl_index
u32 acl_index
Definition: acl.api:283
vl_api_macip_acl_add_t::r
vl_api_macip_acl_rule_t r[count]
Definition: acl.api:270
vl_api_macip_acl_interface_add_del_t::is_add
bool is_add[default=true]
Definition: acl.api:346
macip_acl_list_t::out_l2_table_index
u32 out_l2_table_index
Definition: acl.h:100
mac_address_encode
void mac_address_encode(const mac_address_t *in, u8 *out)
Definition: ethernet_types_api.c:40
macip_acl_list_t
Definition: acl.h:86
pool_foreach
#define pool_foreach(VAR, POOL)
Iterate through pool.
Definition: pool.h:534
count_skip
static int count_skip(u8 *p, u32 size)
Definition: acl.c:463
vnet_main_t::interface_main
vnet_interface_main_t interface_main
Definition: vnet.h:81
vl_api_acl_add_replace_t_handler
static void vl_api_acl_add_replace_t_handler(vl_api_acl_add_replace_t *mp)
Definition: acl.c:1792
vl_api_macip_acl_dump_t_handler
static void vl_api_macip_acl_dump_t_handler(vl_api_macip_acl_dump_t *mp)
Definition: acl.c:2214
ip_types_api.h
clib_error
#define clib_error(format, args...)
Definition: error.h:62
u64
unsigned long u64
Definition: types.h:89
acl_main_t::l4_match_nonfirst_fragment
int l4_match_nonfirst_fragment
Definition: acl.h:239
vl_api_acl_interface_list_dump_t::client_index
u32 client_index
Definition: acl.api:233
vl_api_acl_plugin_control_ping_reply_t
Control ping from the client to the server response.
Definition: acl.api:67
ACL_FA_CONN_TABLE_DEFAULT_HASH_NUM_BUCKETS
#define ACL_FA_CONN_TABLE_DEFAULT_HASH_NUM_BUCKETS
Definition: fa_node.h:23
ACL_PLUGIN_VERSION_MINOR
#define ACL_PLUGIN_VERSION_MINOR
Definition: acl.h:38
acl_plugin_config
static clib_error_t * acl_plugin_config(vlib_main_t *vm, unformat_input_t *input)
Definition: acl.c:3581
ACL_PLUGIN_HASH_LOOKUP_HASH_MEMORY
#define ACL_PLUGIN_HASH_LOOKUP_HASH_MEMORY
Definition: acl.h:47
REPLY_MACRO2
#define REPLY_MACRO2(t, body)
Definition: api_helper_macros.h:65
cm
vnet_feature_config_main_t * cm
Definition: nat44_ei_hairpinning.c:591
clib_memset
clib_memset(h->entries, 0, sizeof(h->entries[0]) *entries)
vl_api_macip_acl_add_t_handler
static void vl_api_macip_acl_add_t_handler(vl_api_macip_acl_add_t *mp)
Definition: acl.c:2081
vl_api_acl_del_t::acl_index
u32 acl_index
Definition: acl.api:139
vl_api_acl_interface_etype_whitelist_dump_t_handler
static void vl_api_acl_interface_etype_whitelist_dump_t_handler(vl_api_acl_interface_list_dump_t *mp)
Definition: acl.c:2422
vl_api_acl_interface_etype_whitelist_details_t
Details about ethertype whitelist on a single interface.
Definition: acl.api:478
clib_time_t::clocks_per_second
f64 clocks_per_second
Definition: time.h:54
acl_rule_t::dst_prefixlen
u8 dst_prefixlen
Definition: types.h:28
vl_api_send_msg
static void vl_api_send_msg(vl_api_registration_t *rp, u8 *elem)
Definition: api.h:35
clib_bitmap_foreach
#define clib_bitmap_foreach(i, ai)
Macro to iterate across set bits in a bitmap.
Definition: bitmap.h:361
vl_api_acl_interface_etype_whitelist_details_t::sw_if_index
vl_api_interface_index_t sw_if_index
Definition: acl.api:481
vl_api_acl_plugin_get_version_reply_t::minor
u32 minor
Definition: acl.api:48
vl_api_acl_interface_list_details_t::context
u32 context
Definition: acl.api:249
fa_session_t::info
fa_5tuple_t info
Definition: fa_node.h:106
vl_api_macip_acl_details_t::tag
string tag[64]
Definition: acl.api:379
vl_api_acl_plugin_get_conn_table_max_entries_reply_t
Reply to get connection table max entries.
Definition: acl.api:90
vec_add1
#define vec_add1(V, E)
Add 1 element to end of vector (unspecified alignment).
Definition: vec.h:607
clib_cpu_time_now
static u64 clib_cpu_time_now(void)
Definition: time.h:81
macip_acl_list_t::l2_table_index
u32 l2_table_index
Definition: acl.h:96
src
vl_api_address_t src
Definition: gre.api:54
acl_clear_sessions
static void acl_clear_sessions(acl_main_t *am, u32 sw_if_index)
Definition: acl.c:514
vlib_thread_main_t
Definition: threads.h:264
get_l3_dst_offset
static int get_l3_dst_offset(int is6)
Definition: acl.c:952
srcport_or_icmptype_last
u16 srcport_or_icmptype_last
Definition: acl_types.api:62
clib_bitmap_set
static uword * clib_bitmap_set(uword *ai, uword i, uword value)
Sets the ith bit of a bitmap to new_value Removes trailing zeros from the bitmap. ...
Definition: bitmap.h:167
macip_match_type_t::has_egress
u8 has_egress
Definition: acl.c:870
unformat_user
uword unformat_user(unformat_input_t *input, unformat_function_t *func,...)
Definition: unformat.c:989
acl_main_t::session_timeout
u64 session_timeout[ACL_N_TIMEOUTS]
Definition: acl.h:276
acl_fa_per_worker_data_t::fa_sessions_pool
fa_session_t * fa_sessions_pool
Definition: fa_node.h:170
srcport_or_icmptype_first
u16 srcport_or_icmptype_first
Definition: acl_types.api:61
vnet_sw_interface_t
Definition: interface.h:868
vl_api_acl_interface_add_del_t::is_add
bool is_add[default=true]
Definition: acl.api:158
acl_main_t::output_policy_epoch_by_sw_if_index
u32 * output_policy_epoch_by_sw_if_index
Definition: acl.h:166
macip_match_type_t::out_dot1q_table_index
u32 out_dot1q_table_index
Definition: acl.c:883
macip_match_type_t::prefix_len
u8 prefix_len
Definition: acl.c:872
acl_vector_print_func_t
void(* acl_vector_print_func_t)(vlib_main_t *vm, u8 *out0)
Definition: acl.c:135
unformat_vnet_sw_interface
unformat_function_t unformat_vnet_sw_interface
Definition: interface_funcs.h:459
vlib_main_t::clib_time
clib_time_t clib_time
Definition: main.h:106
macip_match_type_t::dot1ad_table_index
u32 dot1ad_table_index
Definition: acl.c:877
fa_session_t::link_list_id
u8 link_list_id
Definition: fa_node.h:117
validate_and_reset_acl_counters
static void validate_and_reset_acl_counters(acl_main_t *am, u32 acl_index)
Definition: acl.c:277
prefix
vl_api_prefix_t prefix
Definition: ip.api:146
acl_plugin_methods_t
Definition: exported_types.h:88
vl_api_acl_interface_list_details_t::n_input
u8 n_input
Definition: acl.api:252
vl_api_macip_acl_dump_t::context
u32 context
Definition: acl.api:362
vl_api_acl_plugin_get_version_reply_t::major
u32 major
Definition: acl.api:47
vl_msg_api_alloc
void * vl_msg_api_alloc(int nbytes)
Definition: memory_shared.c:199
vl_api_acl_details_t::acl_index
u32 acl_index
Definition: acl.api:219
vl_api_acl_plugin_get_conn_table_max_entries_t::client_index
u32 client_index
Definition: acl.api:82
vnet_classify_add_del_table
int vnet_classify_add_del_table(vnet_classify_main_t *cm, const u8 *mask, u32 nbuckets, u32 memory_size, u32 skip, u32 match, u32 next_table_index, u32 miss_next_index, u32 *table_index, u8 current_data_flag, i16 current_data_offset, int is_add, int del_chain)
Definition: vnet_classify.c:747
vl_api_macip_acl_del_t
Delete a MACIP ACL.
Definition: acl.api:326
u8
unsigned char u8
Definition: types.h:56
pool_len
#define pool_len(p)
Number of elements in pool vector.
Definition: pool.h:139
macip_find_match_type
static u32 macip_find_match_type(macip_match_type_t *mv, u8 *mac_mask, u8 prefix_len, u8 is_ipv6)
Definition: acl.c:890
in_out_acl.h
vl_api_acl_interface_add_del_t::sw_if_index
vl_api_interface_index_t sw_if_index
Definition: acl.api:164
macip_match_type_t::table_index
u32 table_index
Definition: acl.c:874
vec_reset_length
#define vec_reset_length(v)
Reset vector length to zero NULL-pointer tolerant.
Definition: vec_bootstrap.h:194
acl_main_t::log_default
vlib_log_class_t log_default
Definition: acl.h:298
f64
double f64
Definition: types.h:142
vl_api_macip_acl_details_t
Details about one MACIP ACL.
Definition: acl.api:375
acl_plugin_lookup_context_notify_acl_change
void acl_plugin_lookup_context_notify_acl_change(u32 acl_num)
Definition: lookup_context.c:270
u32
unsigned int u32
Definition: types.h:88
acl_main_t::fa_cleaner_wait_time_increment
f64 fa_cleaner_wait_time_increment
Definition: acl.h:266
vec_add
#define vec_add(V, E, N)
Add N elements to end of vector V (no header, unspecified alignment)
Definition: vec.h:689
macip_match_type_t::arp_dot1q_table_index
u32 arp_dot1q_table_index
Definition: acl.c:878
vl_api_macip_acl_add_replace_t::count
u32 count
Definition: acl.api:302
clib_bitmap_validate
#define clib_bitmap_validate(v, n_bits)
Definition: bitmap.h:115
ADDRESS_IP4
Definition: ip_types.api:22
acl_main_t::interface_acl_user_id
u32 interface_acl_user_id
Definition: acl.h:145
acl_main_t::lc_index_vec_by_acl
u32 ** lc_index_vec_by_acl
Definition: acl.h:162
acl_main_t::fa_conn_table_hash_memory_size
uword fa_conn_table_hash_memory_size
Definition: acl.h:243
acl_fa_per_worker_data_t::requeue_until_time
u64 requeue_until_time
Definition: fa_node.h:192
acl_rule_t::dst_port_or_code_last
u16 dst_port_or_code_last
Definition: types.h:33
acl_interface_in_enable_disable
static int acl_interface_in_enable_disable(acl_main_t *am, u32 sw_if_index, int enable_disable)
Definition: acl.c:523
acl_sw_interface_add_del
static clib_error_t * acl_sw_interface_add_del(vnet_main_t *vnm, u32 sw_if_index, u32 is_add)
Definition: acl.c:2496
macip_acl_rule_t::src_mac_mask
u8 src_mac_mask[6]
Definition: acl.h:70
acl_rule_t::src_prefixlen
u8 src_prefixlen
Definition: types.h:26
l2_in_out_feat_arc.h
acl_fa_per_worker_data_t::rcvd_session_change_requests
u64 rcvd_session_change_requests
Definition: fa_node.h:175
macip_acl_rule_t::src_ip_addr
ip46_address_t src_ip_addr
Definition: acl.h:71
mv
void mv(vnet_classify_table_t *t)
Definition: vnet_classify.c:79
vlib_clear_combined_counters
void vlib_clear_combined_counters(vlib_combined_counter_main_t *cm)
Clear a collection of combined counters.
Definition: counter.c:61
fa_session_t::link_prev_idx
u32 link_prev_idx
Definition: fa_node.h:115
VLIB_INIT_FUNCTION
#define VLIB_INIT_FUNCTION(x)
Definition: init.h:172
vl_api_acl_plugin_get_version_t::client_index
u32 client_index
Definition: acl.api:34
acl_is_not_defined
static int acl_is_not_defined(acl_main_t *am, u32 acl_list_index)
Definition: acl.c:616
acl_show_aclplugin_acl_fn
static clib_error_t * acl_show_aclplugin_acl_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: acl.c:3056
acl_main_t::acl_counter_lock
volatile u32 * acl_counter_lock
Definition: acl.h:300
vl_api_macip_acl_interface_list_details_t::context
u32 context
Definition: acl.api:430
vl_api_acl_interface_etype_whitelist_details_t::context
u32 context
Definition: acl.api:480
acl_fa_per_worker_data_t::cnt_deleted_sessions
u64 cnt_deleted_sessions
Definition: fa_node.h:196
acl_main_t::fa_conn_table_max_entries
u64 fa_conn_table_max_entries
Definition: acl.h:244
clib_bitmap_is_zero
static uword clib_bitmap_is_zero(uword *ai)
predicate function; is an entire bitmap empty?
Definition: bitmap.h:57
acl_is_used_by
static int acl_is_used_by(u32 acl_index, u32 **foo_index_vec_by_acl)
Definition: acl.c:422
vl_api_acl_add_replace_t::tag
string tag[64]
Definition: acl.api:110
vnet_classify_add_del_session
int vnet_classify_add_del_session(vnet_classify_main_t *cm, u32 table_index, const u8 *match, u32 hit_next_index, u32 opaque_index, i32 advance, u8 action, u16 metadata, int is_add)
Definition: vnet_classify.c:2745
acl_main_t::vnet_main
vnet_main_t * vnet_main
Definition: acl.h:296
format
description fragment has unexpected format
Definition: map.api:433
acl_rule_t::src
ip46_address_t src
Definition: types.h:25
acl_fa_per_worker_data_t::interrupt_is_needed
int interrupt_is_needed
Definition: fa_node.h:216
acl_fa_per_worker_data_t::cnt_session_timer_restarted
u64 cnt_session_timer_restarted
Definition: fa_node.h:200
vec_elt_at_index
#define vec_elt_at_index(v, i)
Get vector value at index i checking that i is in bounds.
Definition: vec_bootstrap.h:203
vl_api_macip_acl_interface_add_del_t
Add or delete a MACIP ACL to/from interface.
Definition: acl.api:342
increment_policy_epoch
static void increment_policy_epoch(acl_main_t *am, u32 sw_if_index, int is_input)
Definition: acl.c:238
acl_show_aclplugin_interface_fn
static clib_error_t * acl_show_aclplugin_interface_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: acl.c:3202
clib_error_return
#define clib_error_return(e, args...)
Definition: error.h:99
vl_api_macip_acl_interface_list_details_t::acls
u32 acls[count]
Definition: acl.api:433
vl_api_acl_interface_list_dump_t::context
u32 context
Definition: acl.api:234
vl_api_acl_dump_t::context
u32 context
Definition: acl.api:203
macip_acl_rule_t::src_prefixlen
u8 src_prefixlen
Definition: acl.h:72
vnet_get_main
vnet_main_t * vnet_get_main(void)
Definition: pnat_test_stubs.h:56
acl_rule_t::is_permit
u8 is_permit
Definition: types.h:23
ACL_FA_CONN_TABLE_DEFAULT_MAX_ENTRIES
#define ACL_FA_CONN_TABLE_DEFAULT_MAX_ENTRIES
Definition: fa_node.h:25
acl_main_t::in_acl_on_sw_if_index
uword * in_acl_on_sw_if_index
Definition: acl.h:158
acl_print_acl
static void acl_print_acl(vlib_main_t *vm, acl_main_t *am, int acl_index)
Definition: acl.c:226
vl_api_macip_acl_add_replace_t::acl_index
u32 acl_index[default=0xffffffff]
Definition: acl.api:300
vl_api_macip_acl_interface_get_t::context
u32 context
Definition: acl.api:392
macip_match_type_t::mac_mask
u8 mac_mask[6]
Definition: acl.c:871
macip_match_type_t::out_arp_dot1q_table_index
u32 out_arp_dot1q_table_index
Definition: acl.c:885
vl_api_acl_interface_set_etype_whitelist_t::whitelist
u16 whitelist[count]
Definition: acl.api:452
macip_match_type_t::count
u32 count
Definition: acl.c:873
vec_search
#define vec_search(v, E)
Search a vector for the index of the entry that matches.
Definition: vec.h:1055
vl_api_macip_acl_details_t::count
u32 count
Definition: acl.api:380
VNET_SW_INTERFACE_ADD_DEL_FUNCTION
VNET_SW_INTERFACE_ADD_DEL_FUNCTION(acl_sw_interface_add_del)
rv
int __clib_unused rv
Definition: application.c:491
acl_show_aclplugin_decode_5tuple_fn
static clib_error_t * acl_show_aclplugin_decode_5tuple_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: acl.c:3183
vl_api_acl_details_t::context
u32 context
Definition: acl.api:218
macip_acl_list_t::ip4_table_index
u32 ip4_table_index
Definition: acl.h:94
vl_api_acl_interface_list_details_t::acls
u32 acls[count]
Definition: acl.api:253
vl_api_acl_plugin_get_conn_table_max_entries_t
Get Connection table max entries.
Definition: acl.api:80
ip_address_decode
ip46_type_t ip_address_decode(const vl_api_address_t *in, ip46_address_t *out)
Decode/Encode for struct/union types.
Definition: ip_types_api.c:186
vl_api_macip_acl_add_replace_reply_t
Reply to add/replace MACIP ACL.
Definition: acl.api:313
vnet_sw_interface_t::sw_if_index
u32 sw_if_index
Definition: interface.h:875
my_macip_acl_rule_t_pretty_format
static u8 * my_macip_acl_rule_t_pretty_format(u8 *out, va_list *args)
Definition: acl.c:2726
acl_rule_t::dst
ip46_address_t dst
Definition: types.h:27
unformat_line_input
unformat_function_t unformat_line_input
Definition: format.h:275
clib_spinlock_init
static void clib_spinlock_init(clib_spinlock_t *p)
Definition: lock.h:65
vl_api_acl_interface_add_del_t::is_input
bool is_input
Definition: acl.api:163
api_helper_macros.h
vl_api_macip_acl_interface_list_dump_t::context
u32 context
Definition: acl.api:417
error
Definition: cJSON.c:88
acl_show_aclplugin_memory_fn
static clib_error_t * acl_show_aclplugin_memory_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: acl.c:3219
vl_api_macip_acl_add_reply_t
Reply to add MACIP ACL.
Definition: acl.api:280
pool_elt_at_index
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:553
sw_if_index
vl_api_interface_index_t sw_if_index
Definition: wireguard.api:34
acl_plugin_show_interface
static void acl_plugin_show_interface(acl_main_t *am, u32 sw_if_index, int show_acl, int detail)
Definition: acl.c:3099
vl_api_macip_acl_interface_list_details_t
Details about a single MACIP ACL contents.
Definition: acl.api:428
acl_set_session_max_entries
static void acl_set_session_max_entries(u32 value)
Definition: acl.c:2473
vl_api_acl_plugin_control_ping_t
Control ping from client to api server request.
Definition: acl.api:55
vlib_process_signal_event
static void vlib_process_signal_event(vlib_main_t *vm, uword node_index, uword type_opaque, uword data)
Definition: node_funcs.h:1019
VLIB_PLUGIN_REGISTER
VLIB_PLUGIN_REGISTER()
vl_api_acl_plugin_get_version_t::context
u32 context
Definition: acl.api:35
ACL_FA_DEFAULT_CLEANER_WAIT_TIME_INCREMENT
#define ACL_FA_DEFAULT_CLEANER_WAIT_TIME_INCREMENT
Definition: acl.h:265
acl_rule_t::dst_port_or_code_first
u16 dst_port_or_code_first
Definition: types.h:32
proto
vl_api_ip_proto_t proto
Definition: acl_types.api:51
vl_api_acl_add_replace_t::acl_index
u32 acl_index
Definition: acl.api:109
vl_api_macip_acl_dump_t::client_index
u32 client_index
Definition: acl.api:361
TCP_SESSION_IDLE_TIMEOUT_SEC
#define TCP_SESSION_IDLE_TIMEOUT_SEC
Definition: acl.h:41
warning_acl_print_acl
static void warning_acl_print_acl(vlib_main_t *vm, acl_main_t *am, int acl_index)
Definition: acl.c:232
vl_api_acl_interface_set_acl_list_t::acls
u32 acls[count]
Definition: acl.api:185
acl_fa_per_worker_data_t
Definition: fa_node.h:168
vl_api_acl_details_t::tag
string tag[64]
Definition: acl.api:220
vl_api_acl_dump_t_handler
static void vl_api_acl_dump_t_handler(vl_api_acl_dump_t *mp)
Definition: acl.c:1963
unformat_input_t
struct _unformat_input_t unformat_input_t
u16
unsigned short u16
Definition: types.h:57
acl_main_t::fa_ipv6_known_eh_bitmap
uword * fa_ipv6_known_eh_bitmap
Definition: acl.h:236
memory_size
u64 memory_size
Definition: vhost_user.h:124
vl_api_acl_add_replace_t
Replace an existing ACL in-place or create a new ACL.
Definition: acl.api:105
ACL_FA_DEFAULT_MIN_DELETED_SESSIONS_PER_INTERVAL
#define ACL_FA_DEFAULT_MIN_DELETED_SESSIONS_PER_INTERVAL
Definition: acl.h:262
vl_api_macip_acl_interface_add_del_t::acl_index
u32 acl_index
Definition: acl.api:349
size
u32 size
Definition: vhost_user.h:125
macip_acl_rule_t
Definition: acl.h:65
pool_put
#define pool_put(P, E)
Free an object E in pool P.
Definition: pool.h:305
vec_dup
#define vec_dup(V)
Return copy of vector (no header, no alignment)
Definition: vec.h:444
acl_fa_per_worker_data_t::fa_session_epoch_change_by_sw_if_index
u64 * fa_session_epoch_change_by_sw_if_index
Definition: fa_node.h:186
acl_main_t::output_lc_index_by_sw_if_index
u32 * output_lc_index_by_sw_if_index
Definition: acl.h:143
vl_api_acl_interface_list_details_t
Details about a single ACL contents.
Definition: acl.api:247
acl_show_aclplugin_tables_fn
static clib_error_t * acl_show_aclplugin_tables_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: acl.c:3398
VLIB_CONFIG_FUNCTION
#define VLIB_CONFIG_FUNCTION(x, n,...)
Definition: init.h:181
REPLY_MACRO
#define REPLY_MACRO(t)
Definition: api_helper_macros.h:30
acl_fa_per_worker_data_t::fa_conn_list_tail
u32 * fa_conn_list_tail
Definition: fa_node.h:179
vec_del1
#define vec_del1(v, i)
Delete the element at index I.
Definition: vec.h:897
vl_api_acl_add_replace_t::r
vl_api_acl_rule_t r[count]
Definition: acl.api:112
send_acl_details
static void send_acl_details(acl_main_t *am, vl_api_registration_t *reg, acl_list_t *acl, u32 context)
Definition: acl.c:1933
src_address
vl_api_address_union_t src_address
Definition: ip_types.api:122
get_l3_src_offset
static int get_l3_src_offset(int is6)
Definition: acl.c:941
clib_time_t::seconds_per_clock
f64 seconds_per_clock
Definition: time.h:58
vm
vlib_main_t * vm
X-connect all packets from the HOST to the PHY.
Definition: nat44_ei.c:3047
format_bitmap_hex
__clib_export u8 * format_bitmap_hex(u8 *s, va_list *args)
Format a bitmap as a string of hex bytes.
Definition: bitmap.c:107
vnet_set_input_acl_intfc
int vnet_set_input_acl_intfc(vlib_main_t *vm, u32 sw_if_index, u32 ip4_table_index, u32 ip6_table_index, u32 l2_table_index, u32 is_add)
Definition: in_out_acl.c:129
fa_session_t::last_active_time
u64 last_active_time
Definition: fa_node.h:107
macip_maybe_apply_unapply_classifier_tables
static int macip_maybe_apply_unapply_classifier_tables(acl_main_t *am, u32 acl_index, int is_apply)
Definition: acl.c:1523
send_acl_interface_etype_whitelist_details
static void send_acl_interface_etype_whitelist_details(acl_main_t *am, vl_api_registration_t *reg, u32 sw_if_index, u32 context)
Definition: acl.c:2366
vl_api_acl_interface_set_etype_whitelist_t::count
u8 count
Definition: acl.api:450
acl_main_t::interface_acl_counters_enabled
u32 interface_acl_counters_enabled
Definition: acl.h:303
acl_fa_per_worker_data_t::interrupt_is_unwanted
int interrupt_is_unwanted
Definition: fa_node.h:221
acl_rule_t::proto
u8 proto
Definition: types.h:29
vl_api_acl_add_replace_t::count
u32 count
Definition: acl.api:111
my_format_mac_address
static u8 * my_format_mac_address(u8 *s, va_list *args)
Definition: acl.c:2718
acl_fa_per_worker_data_t::fa_conn_list_head_expiry_time
u64 * fa_conn_list_head_expiry_time
Definition: fa_node.h:181
mac_address_t_
Definition: mac_address.h:21
ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX
Definition: fa_node.h:247
fmt
int cJSON_bool fmt
Definition: cJSON.h:160
format_fns.h
macip_match_type_t::out_arp_dot1ad_table_index
u32 out_arp_dot1ad_table_index
Definition: acl.c:886
acl_fa_per_worker_data_t::fa_session_adds_by_sw_if_index
u64 * fa_session_adds_by_sw_if_index
Definition: fa_node.h:184
FA_POLICY_EPOCH_IS_INPUT
#define FA_POLICY_EPOCH_IS_INPUT
Definition: fa_node.h:126
acl_rule_t::src_port_or_type_first
u16 src_port_or_type_first
Definition: types.h:30
acl_fa_per_worker_data_t::fa_session_dels_by_sw_if_index
u64 * fa_session_dels_by_sw_if_index
Definition: fa_node.h:183
vl_api_macip_acl_interface_list_details_t::count
u8 count
Definition: acl.api:432
acl_main_t::fa_min_deleted_sessions_per_interval
u64 fa_min_deleted_sessions_per_interval
Definition: acl.h:263
match_type_compare
static int match_type_compare(macip_match_type_t *m1, macip_match_type_t *m2)
Definition: acl.c:933
acl_print_acl_x
static void acl_print_acl_x(acl_vector_print_func_t vpr, vlib_main_t *vm, acl_main_t *am, int acl_index)
Definition: acl.c:158
format_ip46_address
format_function_t format_ip46_address
Definition: ip46_address.h:50
acl_plugin_show_tables_bihash
void acl_plugin_show_tables_bihash(u32 show_bihash_verbose)
Definition: hash_lookup.c:1283
pool_get_aligned
#define pool_get_aligned(P, E, A)
Allocate an object E from a pool P with alignment A.
Definition: pool.h:249
src_prefix
vl_api_prefix_t src_prefix
Definition: acl_types.api:45
fa_session_t::tcp_flags_seen
union fa_session_t::@16 tcp_flags_seen
vl_api_acl_details_t::r
vl_api_acl_rule_t r[count]
Definition: acl.api:222
vl_api_acl_interface_list_details_t::count
u8 count
Definition: acl.api:251
vl_api_registration_
An API client registration, only in vpp/vlib.
Definition: api_common.h:47
vl_api_macip_acl_interface_list_dump_t
Dump the list(s) of MACIP ACLs applied to specific or all interfaces.
Definition: acl.api:414
setup_message_id_table
static void setup_message_id_table(api_main_t *am)
Definition: bfd_api.c:451
vl_api_acl_interface_set_etype_whitelist_t_handler
static void vl_api_acl_interface_set_etype_whitelist_t_handler(vl_api_acl_interface_set_etype_whitelist_t *mp)
Definition: acl.c:2338
vnet_l2_feature_enable_disable
int vnet_l2_feature_enable_disable(const char *arc_name, const char *node_name, u32 sw_if_index, int enable_disable, void *feature_config, u32 n_feature_config_bytes)
Definition: l2_in_out_feat_arc.c:582
fa_node.h
match_type_metric
static int match_type_metric(macip_match_type_t *m)
Definition: acl.c:912
macip_acl_del_list
static int macip_acl_del_list(u32 acl_list_index)
Definition: acl.c:1708
macip_match_type_t::is_ipv6
u8 is_ipv6
Definition: acl.c:869
vl_api_macip_acl_dump_t
Dump one or all defined MACIP ACLs.
Definition: acl.api:359
UNFORMAT_END_OF_INPUT
#define UNFORMAT_END_OF_INPUT
Definition: format.h:137
acl_classify_add_del_table_small
static int acl_classify_add_del_table_small(vnet_classify_main_t *cm, u8 *mask, u32 mask_len, u32 next_table_index, u32 miss_next_index, u32 *table_index, int is_add)
Definition: acl.c:478
ip_prefix_decode2
int ip_prefix_decode2(const vl_api_prefix_t *in, ip_prefix_t *out)
Definition: ip_types_api.c:276
acl_fa_per_worker_data_t::sent_session_change_requests
u64 sent_session_change_requests
Definition: fa_node.h:176
acl_plugin_show_acl
static void acl_plugin_show_acl(acl_main_t *am, u32 acl_index)
Definition: acl.c:3017
clib_bitmap_dup_xor
static uword * clib_bitmap_dup_xor(uword *ai, uword *bi)
Logical operator across two bitmaps which duplicates the first bitmap.
i
sll srl srl sll sra u16x4 i
Definition: vector_sse42.h:261
acl_main_t::fa_session_total_adds
u64 fa_session_total_adds
Definition: acl.h:230
vl_api_macip_acl_interface_get_reply_t::acls
u32 acls[count]
Definition: acl.api:405
vl_api_acl_add_replace_reply_t::acl_index
u32 acl_index
Definition: acl.api:125
vl_api_acl_dump_t::acl_index
u32 acl_index
Definition: acl.api:204
mask
vl_api_pnat_mask_t mask
Definition: pnat.api:45
vec_free
#define vec_free(V)
Free vector&#39;s memory (no header).
Definition: vec.h:395
index
u32 index
Definition: flow_types.api:221
macip_match_type_t::dot1q_table_index
u32 dot1q_table_index
Definition: acl.c:876
acl_fa_enable_disable
void acl_fa_enable_disable(u32 sw_if_index, int is_input, int enable_disable)
Definition: sess_mgmt_node.c:856
acl_stats_intf_counters_enable_disable
static int acl_stats_intf_counters_enable_disable(acl_main_t *am, int enable_disable)
Definition: acl.c:596
vl_api_acl_add_replace_reply_t
Reply to add/replace ACL.
Definition: acl.api:122
clib_warning
#define clib_warning(format, args...)
Definition: error.h:59
im
vnet_interface_main_t * im
Definition: interface_output.c:395
acl_rule_t
Definition: types.h:21
vl_api_macip_acl_interface_get_reply_t
Reply with the vector of MACIP ACLs by sw_if_index.
Definition: acl.api:401
acl_plugin_counter_unlock
static void acl_plugin_counter_unlock(acl_main_t *am)
Definition: acl.h:325
format_vec32
u8 * format_vec32(u8 *s, va_list *va)
Definition: std-formats.c:43
acl_plugin_show_lookup_user
void acl_plugin_show_lookup_user(u32 user_index)
Definition: lookup_context.c:307
fa_session_t::sw_if_index
u32 sw_if_index
Definition: fa_node.h:108
ethernet_header_t
Definition: packet.h:52
acl_main_t::use_hash_acl_matching
int use_hash_acl_matching
Definition: acl.h:177
pool_is_free_index
#define pool_is_free_index(P, I)
Use free bitmap to query whether given index is free.
Definition: pool.h:302
acl_plugin_exports_init
static clib_error_t * acl_plugin_exports_init(acl_plugin_methods_t *m)
Definition: public_inlines.h:39
clib_bitmap_get
static uword clib_bitmap_get(uword *ai, uword i)
Gets the ith bit value from a bitmap.
Definition: bitmap.h:197
vl_api_acl_interface_set_etype_whitelist_t::sw_if_index
vl_api_interface_index_t sw_if_index
Definition: acl.api:449
acl_main_t::hash_lookup_hash_memory
uword hash_lookup_hash_memory
Definition: acl.h:129
vl_api_client_index_to_registration
static vl_api_registration_t * vl_api_client_index_to_registration(u32 index)
Definition: api.h:79
foreach_fa_cleaner_counter
#define foreach_fa_cleaner_counter
Definition: acl.h:281
vl_api_macip_acl_add_replace_t::r
vl_api_macip_acl_rule_t r[count]
Definition: acl.api:303
vl_api_macip_acl_dump_t::acl_index
u32 acl_index[default=0xffffffff]
Definition: acl.api:363
acl_interface_out_enable_disable
static int acl_interface_out_enable_disable(acl_main_t *am, u32 sw_if_index, int enable_disable)
Definition: acl.c:559
acl_main_t::tuple_merge_split_threshold
int tuple_merge_split_threshold
Definition: acl.h:184
vl_api_acl_plugin_get_conn_table_max_entries_reply_t::context
u32 context
Definition: acl.api:92
vl_api_macip_acl_interface_add_del_t::sw_if_index
vl_api_interface_index_t sw_if_index
Definition: acl.api:348
macip_match_type_t
Definition: acl.c:867
vl_api_acl_plugin_control_ping_reply_t::vpe_pid
u32 vpe_pid
Definition: acl.api:72
acl_main_t
Definition: acl.h:116
src_mac
vl_api_mac_address_t src_mac
Definition: acl_types.api:94
macip_acl_rule_t::is_ipv6
u8 is_ipv6
Definition: acl.h:68
macip_match_type_t::out_arp_table_index
u32 out_arp_table_index
Definition: acl.c:882
VLIB_CLI_COMMAND
#define VLIB_CLI_COMMAND(x,...)
Definition: cli.h:163
vnet_classify_main_t
struct _vnet_classify_main vnet_classify_main_t
Definition: vnet_classify.h:61
rules
vl_api_gbp_rule_t rules[n_rules]
Definition: gbp.api:338
acl_main_t::trace_acl
int trace_acl
Definition: acl.h:247
acl_fa_per_worker_data_t::interrupt_is_pending
int interrupt_is_pending
Definition: fa_node.h:210
vnet_main_t
Definition: vnet.h:76
acl_show_aclplugin_macip_acl_fn
static clib_error_t * acl_show_aclplugin_macip_acl_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: acl.c:2965
ACL_PLUGIN_HASH_LOOKUP_HASH_BUCKETS
#define ACL_PLUGIN_HASH_LOOKUP_HASH_BUCKETS
Definition: acl.h:46
vl_api_acl_interface_etype_whitelist_details_t::whitelist
u16 whitelist[count]
Definition: acl.api:484
i32
signed int i32
Definition: types.h:77
acl_main_t::hash_lookup_hash_buckets
u32 hash_lookup_hash_buckets
Definition: acl.h:128
vl_api_macip_acl_interface_list_details_t::sw_if_index
vl_api_interface_index_t sw_if_index
Definition: acl.api:431
vl_api_acl_interface_add_del_t_handler
static void vl_api_acl_interface_add_del_t_handler(vl_api_acl_interface_add_del_t *mp)
Definition: acl.c:1846
value
u8 value
Definition: qos.api:54
ASSERT
#define ASSERT(truth)
Definition: error_bootstrap.h:69
macip_acl_interface_del_acl
static int macip_acl_interface_del_acl(acl_main_t *am, u32 sw_if_index)
Definition: acl.c:1641
vlib_cli_output
void vlib_cli_output(vlib_main_t *vm, char *fmt,...)
Definition: cli.c:716
vl_api_macip_acl_interface_list_dump_t::client_index
u32 client_index
Definition: acl.api:416
acl_main_t::trace_sessions
int trace_sessions
Definition: acl.h:246
macip_acl_list_t::out_ip6_table_index
u32 out_ip6_table_index
Definition: acl.h:99
acl_list_t::tag
u8 tag[64]
Definition: acl.h:82
vl_api_macip_acl_del_t_handler
static void vl_api_macip_acl_del_t_handler(vl_api_macip_acl_del_t *mp)
Definition: acl.c:2135
clib_time_t
Definition: time.h:44
vec_validate_acl_rules
#define vec_validate_acl_rules(v, idx)
Definition: acl.c:2816
acl_interface_inout_enable_disable
static int acl_interface_inout_enable_disable(acl_main_t *am, u32 sw_if_index, int is_input, int enable_disable)
Definition: acl.c:606
vlib_thread_main_t::n_vlib_mains
u32 n_vlib_mains
Definition: threads.h:283
acl_rule_t::src_port_or_type_last
u16 src_port_or_type_last
Definition: types.h:31
vl_api_macip_acl_details_t::context
u32 context
Definition: acl.api:377
ethernet_types_api.h
macip_create_classify_tables
static int macip_create_classify_tables(acl_main_t *am, u32 macip_acl_index)
Definition: acl.c:975
ip6_header_t
Definition: ip6_packet.h:294
acl_set_timeout_sec
static void acl_set_timeout_sec(int timeout_type, u32 value)
Definition: acl.c:2454
IP46_TYPE_ANY
Definition: ip46_address.h:24
vl_api_acl_plugin_get_conn_table_max_entries_t::context
u32 context
Definition: acl.api:83
acl_main_t::out_acl_on_sw_if_index
uword * out_acl_on_sw_if_index
Definition: acl.h:159
vl_api_macip_acl_interface_get_t::client_index
u32 client_index
Definition: acl.api:391
l2_classify.h
acl_plugin_show_lookup_context
void acl_plugin_show_lookup_context(u32 lc_index)
Definition: lookup_context.c:324
acl_main_t::sw_if_index_vec_by_macip_acl
u32 ** sw_if_index_vec_by_macip_acl
Definition: acl.h:216
macip_permit_also_egress
static int macip_permit_also_egress(u8 is_permit)
Definition: acl.c:969
clib_bitmap_free
#define clib_bitmap_free(v)
Free a bitmap.
Definition: bitmap.h:92
acl_main
acl_main_t acl_main
Definition: acl.c:44
vnet_classify_main
vnet_classify_main_t vnet_classify_main
Definition: vnet_classify.c:32
vl_api_macip_acl_add_replace_t_handler
static void vl_api_macip_acl_add_replace_t_handler(vl_api_macip_acl_add_replace_t *mp)
Definition: acl.c:2108
vl_api_macip_acl_interface_get_reply_t::count
u32 count
Definition: acl.api:404
vl_api_acl_del_t
Delete an ACL.
Definition: acl.api:135
vl_api_acl_plugin_get_version_reply_t
Reply to get the plugin version.
Definition: acl.api:44
macip_acl_add_list
static int macip_acl_add_list(u32 count, vl_api_macip_acl_rule_t rules[], u32 *acl_list_index, u8 *tag)
Definition: acl.c:1550
vl_api_acl_interface_etype_whitelist_details_t::n_input
u8 n_input
Definition: acl.api:483
unformat_ip46_address
unformat_function_t unformat_ip46_address
Definition: format.h:63
bihash_40_8.h
acl_fa_per_worker_data_t::serviced_sw_if_index_bitmap
uword * serviced_sw_if_index_bitmap
Definition: fa_node.h:204
macip_acl_list_t::count
u32 count
Definition: acl.h:91
vl_api_macip_acl_details_t::r
vl_api_macip_acl_rule_t r[count]
Definition: acl.api:381
vl_api_acl_dump_t
Reply to set the ACL list on an interface.
Definition: acl.api:200
context
u32 context
Definition: ip.api:780
fa_session_t::link_next_idx
u32 link_next_idx
Definition: fa_node.h:116
vec_elt
#define vec_elt(v, i)
Get vector value at index i.
Definition: vec_bootstrap.h:210
clib_error_t
Definition: clib_error.h:21
macip_acl_print
static void macip_acl_print(acl_main_t *am, u32 macip_acl_index)
Definition: acl.c:2741
vl_api_acl_interface_set_acl_list_t::count
u8 count
Definition: acl.api:183
acl_main_t::macip_acl_by_sw_if_index
u32 * macip_acl_by_sw_if_index
Definition: acl.h:213
vl_api_macip_acl_interface_get_t
Get the vector of MACIP ACL IDs applied to the interfaces.
Definition: acl.api:389
vl_api_acl_interface_list_dump_t_handler
static void vl_api_acl_interface_list_dump_t_handler(vl_api_acl_interface_list_dump_t *mp)
Definition: acl.c:2047
fa_session_t::as_u16
u16 as_u16
Definition: fa_node.h:111
acl_interface_reset_inout_acls
static void acl_interface_reset_inout_acls(u32 sw_if_index, u8 is_input, int *may_clear_sessions)
Definition: acl.c:762
vl_api_macip_acl_add_replace_t
Add/Replace a MACIP ACL.
Definition: acl.api:296
acl_add_list
static int acl_add_list(u32 count, vl_api_acl_rule_t rules[], u32 *acl_list_index, u8 *tag)
Definition: acl.c:317
print_clib_warning_and_reset
static void print_clib_warning_and_reset(vlib_main_t *vm, u8 *out0)
Definition: acl.c:122
acl_set_etype_whitelists
static int acl_set_etype_whitelists(acl_main_t *am, u32 sw_if_index, u16 *vec_in, u16 *vec_out)
Definition: acl.c:830
macip_match_type_t::out_table_index
u32 out_table_index
Definition: acl.c:881
acl_set_aclplugin_acl_fn
static clib_error_t * acl_set_aclplugin_acl_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: acl.c:2827
acl_fa_per_worker_data_t::swipe_end_time
u64 swipe_end_time
Definition: fa_node.h:202
macip_match_type_t::arp_dot1ad_table_index
u32 arp_dot1ad_table_index
Definition: acl.c:879
vl_api_acl_del_t_handler
static void vl_api_acl_del_t_handler(vl_api_acl_del_t *mp)
Definition: acl.c:1819
bihash_template.c
vl_api_macip_acl_add_replace_t::tag
string tag[64]
Definition: acl.api:301
send_macip_acl_details
static void send_macip_acl_details(acl_main_t *am, vl_api_registration_t *reg, macip_acl_list_t *acl, u32 context)
Definition: acl.c:2167
acl_main_t::macip_acls
macip_acl_list_t * macip_acls
Definition: acl.h:147
acl_show_aclplugin_sessions_fn
static clib_error_t * acl_show_aclplugin_sessions_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: acl.c:3377
acl_plugin
static acl_plugin_methods_t acl_plugin
Definition: acl.c:64
send_macip_acl_interface_list_details
static void send_macip_acl_interface_list_details(acl_main_t *am, vl_api_registration_t *reg, u32 sw_if_index, u32 acl_index, u32 context)
Definition: acl.c:2276
action
vl_api_mac_event_action_t action
Definition: l2.api:211
vec_len
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
Definition: vec_bootstrap.h:142
vl_api_acl_details_t
Details about a single ACL contents.
Definition: acl.api:216
macip_acl_list_t::ip6_table_index
u32 ip6_table_index
Definition: acl.h:95
vl_api_macip_acl_interface_list_dump_t_handler
static void vl_api_macip_acl_interface_list_dump_t_handler(vl_api_macip_acl_interface_list_dump_t *mp)
Definition: acl.c:2301
IP46_TYPE_IP6
Definition: ip46_address.h:27
acl_rule_t::tcp_flags_mask
u8 tcp_flags_mask
Definition: types.h:35
vlib_main_t
Definition: main.h:102
src_mac_mask
vl_api_mac_address_t src_mac_mask
Definition: acl_types.api:95
acl_main_t::per_worker_data
acl_fa_per_worker_data_t * per_worker_data
Definition: acl.h:273
vl_api_acl_plugin_get_conn_table_max_entries_reply_t::conn_table_max_entries
u64 conn_table_max_entries
Definition: acl.api:93
uword
u64 uword
Definition: types.h:112
vec_sort_with_function
#define vec_sort_with_function(vec, f)
Sort a vector using the supplied element comparison function.
Definition: vec.h:1098
dstport_or_icmpcode_first
u16 dstport_or_icmpcode_first
Definition: acl_types.api:63
unformat_free
static void unformat_free(unformat_input_t *i)
Definition: format.h:155
vnet_interface_main_t::sw_interfaces
vnet_sw_interface_t * sw_interfaces
Definition: interface.h:1014
acl_main_t::fa_interrupt_generation
int fa_interrupt_generation
Definition: acl.h:270
acl_main_t::input_sw_if_index_vec_by_acl
u32 ** input_sw_if_index_vec_by_acl
Definition: acl.h:154
acl_fa_per_worker_data_t::cnt_already_deleted_sessions
u64 cnt_already_deleted_sessions
Definition: fa_node.h:198
swif
u32 swif
Definition: interface_output.c:1078
vlib_combined_counter_main_t::name
char * name
The counter collection&#39;s name.
Definition: counter.h:206
acl_main_t::use_tuple_merge
int use_tuple_merge
Definition: acl.h:180
acl_main_t::output_etype_whitelist_by_sw_if_index
u16 ** output_etype_whitelist_by_sw_if_index
Definition: acl.h:210
vlib_cli_command_t
Definition: cli.h:92
vl_api_acl_interface_set_acl_list_t_handler
static void vl_api_acl_interface_set_acl_list_t_handler(vl_api_acl_interface_set_acl_list_t *mp)
Definition: acl.c:1866
acl_fa_per_worker_data_t::fa_conn_list_head
u32 * fa_conn_list_head
Definition: fa_node.h:178
acl_main_t::fa_max_deleted_sessions_per_interval
u64 fa_max_deleted_sessions_per_interval
Definition: acl.h:255
acl_fa_per_worker_data_t::expired
u32 * expired
Definition: fa_node.h:188
acl_set_aclplugin_fn
static clib_error_t * acl_set_aclplugin_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: acl.c:2518
ip_prefix
Definition: ip_types.h:116
vl_api_acl_interface_list_dump_t::sw_if_index
vl_api_interface_index_t sw_if_index[default=0xffffffff]
Definition: acl.api:235
vl_api_acl_interface_set_acl_list_t::sw_if_index
vl_api_interface_index_t sw_if_index
Definition: acl.api:182
fa_session_t::thread_index
u16 thread_index
Definition: fa_node.h:112
ip_address_encode
void ip_address_encode(const ip46_address_t *in, ip46_type_t type, vl_api_address_t *out)
Definition: ip_types_api.c:220
unformat_memory_size
unformat_function_t unformat_memory_size
Definition: format.h:288
fa_session_t
Definition: fa_node.h:105
try_increment_acl_policy_epoch
static void try_increment_acl_policy_epoch(acl_main_t *am, u32 acl_num, int is_input)
Definition: acl.c:253
vl_api_acl_stats_intf_counters_enable_t::enable
bool enable
Definition: acl.api:497
clib_mem_alloc_aligned
static void * clib_mem_alloc_aligned(uword size, uword align)
Definition: mem.h:261
vl_api_macip_acl_interface_get_reply_t::context
u32 context
Definition: acl.api:403
acl_interface_add_del_inout_acl
static int acl_interface_add_del_inout_acl(u32 sw_if_index, u8 is_add, u8 is_input, u32 acl_list_index)
Definition: acl.c:771
bihash_template.h
format_unformat_error
u8 * format_unformat_error(u8 *s, va_list *va)
Definition: unformat.c:91
policy_notify_acl_change
static void policy_notify_acl_change(acl_main_t *am, u32 acl_num)
Definition: acl.c:269
acl_rule_t::tcp_flags_value
u8 tcp_flags_value
Definition: types.h:34
clib_strnlen
#define clib_strnlen(s, m)
Definition: string.h:782
dst
vl_api_ip4_address_t dst
Definition: pnat.api:41
vl_api_acl_plugin_get_version_t
Get the plugin version.
Definition: acl.api:32
vlib_get_thread_main
static vlib_thread_main_t * vlib_get_thread_main()
Definition: global_funcs.h:56
vl_api_macip_acl_add_replace_reply_t::acl_index
u32 acl_index
Definition: acl.api:316
acl_plugin_show_sessions
static void acl_plugin_show_sessions(acl_main_t *am, u32 show_session_thread_id, u32 show_session_session_index)
Definition: acl.c:3229
copy_acl_rule_to_api_rule
static void copy_acl_rule_to_api_rule(vl_api_acl_rule_t *api_rule, acl_rule_t *r)
Definition: acl.c:1914
acl_main_t::input_etype_whitelist_by_sw_if_index
u16 ** input_etype_whitelist_by_sw_if_index
Definition: acl.h:209
now
f64 now
Definition: nat44_ei_out2in.c:710
verify_message_len
static int verify_message_len(void *mp, u64 expected_len, char *where)
Definition: acl.c:1775
vec_foreach
#define vec_foreach(var, vec)
Vector iterator.
Definition: vec_bootstrap.h:213
acl_fa_per_worker_data_t::pending_session_change_request_lock
clib_spinlock_t pending_session_change_request_lock
Definition: fa_node.h:172
u32x4
unsigned long long u32x4
Definition: ixge.c:28
count
u8 count
Definition: dhcp.api:208
acl_main_t::fa_session_total_deactivations
u64 fa_session_total_deactivations
Definition: acl.h:233
print_cli_and_reset
static void print_cli_and_reset(vlib_main_t *vm, u8 *out0)
Definition: acl.c:129
vl_api_macip_acl_add_t
Add a MACIP ACL.
Definition: acl.api:264
is_ipv6
bool is_ipv6
Definition: dhcp.api:202
acl_main_t::reclassify_sessions
int reclassify_sessions
Definition: acl.h:169
show_fa_sessions_hash
void show_fa_sessions_hash(vlib_main_t *vm, u32 verbose)
Definition: sess_mgmt_node.c:917
format_acl_plugin_5tuple
u8 * format_acl_plugin_5tuple(u8 *s, va_list *args)
Definition: dataplane_node.c:703
acl_main_t::input_lc_index_by_sw_if_index
u32 * input_lc_index_by_sw_if_index
Definition: acl.h:142
vl_msg_api_get_msg_length
u32 vl_msg_api_get_msg_length(void *msg_arg)
Definition: api_shared.c:791
acl_list_t
Definition: acl.h:78
macip_acl_list_t::out_ip4_table_index
u32 out_ip4_table_index
Definition: acl.h:98
vl_api_macip_acl_details_t::acl_index
u32 acl_index
Definition: acl.api:378
vl_api_acl_dump_t::client_index
u32 client_index
Definition: acl.api:202
dstport_or_icmpcode_last
u16 dstport_or_icmpcode_last
Definition: acl_types.api:64
acl_main_t::output_sw_if_index_vec_by_acl
u32 ** output_sw_if_index_vec_by_acl
Definition: acl.h:155
ACL_PLUGIN_VERSION_MAJOR
#define ACL_PLUGIN_VERSION_MAJOR
Definition: acl.h:37
macip_acl_list_t::tag
u8 tag[64]
Definition: acl.h:90
acl_show_aclplugin_macip_interface_fn
static clib_error_t * acl_show_aclplugin_macip_interface_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: acl.c:3001
FA_POLICY_EPOCH_MASK
#define FA_POLICY_EPOCH_MASK
Definition: fa_node.h:124
vec_validate_init_empty
#define vec_validate_init_empty(V, I, INIT)
Make sure vector is long enough for given index and initialize empty space (no header, unspecified alignment)
Definition: vec.h:571
CLIB_CACHE_LINE_BYTES
#define CLIB_CACHE_LINE_BYTES
Definition: cache.h:59
intf_has_etype_whitelist
static int intf_has_etype_whitelist(acl_main_t *am, u32 sw_if_index, int is_input)
Definition: acl.c:504
ip4_header_t
Definition: ip4_packet.h:87
acl_plugin_show_tables_acl_hash_info
void acl_plugin_show_tables_acl_hash_info(u32 acl_index)
Definition: hash_lookup.c:1174
TM_SPLIT_THRESHOLD
#define TM_SPLIT_THRESHOLD
Definition: acl.h:183
vl_api_acl_details_t::count
u32 count
Definition: acl.api:221
vl_api_acl_interface_list_details_t::sw_if_index
vl_api_interface_index_t sw_if_index
Definition: acl.api:250
am
app_main_t * am
Definition: application.c:489
acl_interface_set_inout_acl_list
static int acl_interface_set_inout_acl_list(acl_main_t *am, u32 sw_if_index, u8 is_input, u32 *vec_acl_list_index, int *may_clear_sessions)
Definition: acl.c:622
vl_api_macip_acl_add_t::count
u32 count
Definition: acl.api:269
ACL_FA_DEFAULT_MAX_DELETED_SESSIONS_PER_INTERVAL
#define ACL_FA_DEFAULT_MAX_DELETED_SESSIONS_PER_INTERVAL
Definition: acl.h:254
vl_api_acl_plugin_control_ping_t_handler
static void vl_api_acl_plugin_control_ping_t_handler(vl_api_acl_plugin_control_ping_t *mp)
Definition: acl.c:106
mac_address_decode
void mac_address_decode(const u8 *in, mac_address_t *out)
Conversion functions to/from (decode/encode) API types to VPP internal types.
Definition: ethernet_types_api.c:34
acl_main_t::acls
acl_list_t * acls
Definition: acl.h:125
vnet_set_output_acl_intfc
int vnet_set_output_acl_intfc(vlib_main_t *vm, u32 sw_if_index, u32 ip4_table_index, u32 ip6_table_index, u32 l2_table_index, u32 is_add)
Definition: in_out_acl.c:139
acl_main_t::output_acl_vec_by_sw_if_index
u32 ** output_acl_vec_by_sw_if_index
Definition: acl.h:151
acl_show_aclplugin_lookup_context_fn
static clib_error_t * acl_show_aclplugin_lookup_context_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: acl.c:3070
macip_match_type_t::out_dot1ad_table_index
u32 out_dot1ad_table_index
Definition: acl.c:884
TCP_SESSION_TRANSIENT_TIMEOUT_SEC
#define TCP_SESSION_TRANSIENT_TIMEOUT_SEC
Definition: acl.h:42
macip_acl_rule_t::is_permit
u8 is_permit
Definition: acl.h:67
vl_api_macip_acl_interface_add_del_t_handler
static void vl_api_macip_acl_interface_add_del_t_handler(vl_api_macip_acl_interface_add_del_t *mp)
Definition: acl.c:2148
acl_fa_per_worker_data_t::current_time_wait_interval
u64 current_time_wait_interval
Definition: fa_node.h:194
macip_match_type_t::arp_table_index
u32 arp_table_index
Definition: acl.c:875
unformat
uword unformat(unformat_input_t *i, const char *fmt,...)
Definition: unformat.c:978
fa_session_t::link_enqueue_time
u64 link_enqueue_time
Definition: fa_node.h:114
vl_api_macip_acl_add_t::tag
string tag[64]
Definition: acl.api:268
acl_main_t::fa_conn_table_hash_num_buckets
u32 fa_conn_table_hash_num_buckets
Definition: acl.h:242
unformat_check_input
static uword unformat_check_input(unformat_input_t *i)
Definition: format.h:163
ACL_FA_CONN_TABLE_DEFAULT_HASH_MEMORY_SIZE
#define ACL_FA_CONN_TABLE_DEFAULT_HASH_MEMORY_SIZE
Definition: fa_node.h:24
acl_main_t::fa_session_total_dels
u64 fa_session_total_dels
Definition: acl.h:231
acl_del_list
static int acl_del_list(u32 acl_list_index)
Definition: acl.c:436
acl_fa_per_worker_data_t::clear_in_process
u32 clear_in_process
Definition: fa_node.h:208
send_acl_interface_list_details
static void send_acl_interface_list_details(acl_main_t *am, vl_api_registration_t *reg, u32 sw_if_index, u32 context)
Definition: acl.c:2003
macip_destroy_classify_tables
static void macip_destroy_classify_tables(acl_main_t *am, u32 macip_acl_index)
Definition: acl.c:1479
vl_api_acl_stats_intf_counters_enable_t
Enable or disable incrementing ACL counters in stats segment by interface processing.
Definition: acl.api:493
vl_api_macip_acl_interface_get_t_handler
static void vl_api_macip_acl_interface_get_t_handler(vl_api_macip_acl_interface_get_t *mp)
Definition: acl.c:2247
acl_fa_per_worker_data_t::interrupt_generation
int interrupt_generation
Definition: fa_node.h:225
acl_main_t::vlib_main
foreach_fa_cleaner_counter vlib_main_t * vlib_main
Definition: acl.h:295